expanded test cases to include additional dependencies

Fix coverity findings

.gitattributes

@@ -0,0 +1,2 @@
+*.html linguist-documentation
+(^|/)site/) linguist-documentation

.github/contributing.md

@@ -0,0 +1,34 @@
+# Contributing to OWASP dependency-check
+
+## Reporting Bugs
+
+- Ensure you're running the latest version of dependency-check.
+- Ensure the bug has not [already been reported](https://github.com/jeremylong/DependencyCheck/issues).
+- If you're unable to find an open issue addressing the problem, please [submit a new issue](https://github.com/jeremylong/DependencyCheck/issues/new).
+  - Please fill out the appropriate section of the bug report template provided. Please delete any sections not needed in the template.
+  
+## Reporting Vulnerabilities
+
+- If you believe you have found a vulnerability in dependency-check itself (not that dependency-check found a vulnerability); please email jeremy.long@owasp.org.
+
+## Asking Questions
+
+- Your question may be answered by taking a look at the [documentataion](https://jeremylong.github.io/DependencyCheck/).
+- If you still have a question consider:
+  - posting to the [Google Group](https://groups.google.com/forum/#!forum/dependency-check)
+  - opening a [new issue](https://github.com/jeremylong/DependencyCheck/issues/new)
+
+## Enhancement Requests
+
+- Suggest changes by [submitting a new issue](https://github.com/jeremylong/DependencyCheck/issues/new) and begin coding.
+
+## Contributing Code
+
+- If you have written a new feature or have fixed a bug please open a new pull request with the patch.
+- Ensure the PR description clearly describes the problem and solution. Include any related issue number(s) if applicable.
+- Please ensure the PR passes the automated checks performed (travis-ci, codacy, etc.)
+- Please consider adding test cases for any new functionality
+
+## Thank you for your contributions
+
+OWASP dependency-check team

.github/issue_template.md

@@ -0,0 +1,20 @@
+Please delete any un-needed section from the following issue template:
+
+### Reporting Bugs/Errors
+When reporting errors, 99% of the time log file output is required. Please post the log file as a [gist](https://gist.github.com/) and provide a link in the new issue.
+
+### Reporting False Positives
+When reporting a false positive please include:
+- The location of the dependency (Maven GAV, URL to download the dependency, etc.)
+- The CPE that is believed to be false positive
+  - Please report the CPE not the CVE
+
+#### Example
+False positive on library foo.jar - reported as cpe:/a:apache:tomcat:7.0
+```xml
+<dependency>
+   <groupId>org.sample</groupId>
+   <artifactId>foo</artifactId>
+   <version>1.0</version>
+</dependency>
+```

.github/pull_request_template.md

@@ -0,0 +1,9 @@
+## Fixes Issue #
+
+## Description of Change
+
+*Please add a description of the proposed change*
+
+## Have test cases been added to cover the new functionality?
+
+*yes/no*

.gitignore

@@ -27,3 +27,4 @@ _site/**
 #coverity
 /cov-int/
 /dependency-check-core/nbproject/
+cov-scan.bat

.travis.yml

@@ -1,2 +1,3 @@
 language: java
 jdk: oraclejdk7
+script: mvn install -DreleaseTesting

Dockerfile

@@ -0,0 +1,14 @@
+FROM java:8
+
+MAINTAINER Timo Pagel <dependencycheckmaintainer@timo-pagel.de>
+
+RUN wget -O /tmp/current.txt http://jeremylong.github.io/DependencyCheck/current.txt && current=$(cat /tmp/current.txt) && wget https://dl.bintray.com/jeremy-long/owasp/dependency-check-$current-release.zip && unzip dependency-check-$current-release.zip && mv dependency-check /usr/share/
+
+RUN useradd -ms /bin/bash dockeruser && chown -R dockeruser:dockeruser /usr/share/dependency-check && mkdir /report && chown -R dockeruser:dockeruser /report
+USER dockeruser
+
+VOLUME "/src /usr/share/dependency-check/data /report"
+
+WORKDIR /report
+
+ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh", "--scan", "/src"]

README.md

@@ -1,4 +1,7 @@
-[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt)
+[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt)
+
+[![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.toolswatch.org/2015/06/black-hat-arsenal-usa-2015-speakers-lineup/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2014.svg)](https://www.toolswatch.org/2014/06/black-hat-usa-2014-arsenal-tools-speaker-list/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2013.svg)](https://www.toolswatch.org/2013/06/announcement-blackhat-arsenal-usa-2013-selected-tools/)
+
 Dependency-Check
 ================
 
@@ -96,6 +99,37 @@ On Windows
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 
+### Docker
+
+In the following example it is assumed that the source to be checked is in the actual directory. A persistent data directory and a persistent report directory is used so that the container can be destroyed after running it to make sure that you use the newest version, always.
+```
+# After the first run, feel free to change the owner of the directories to the owner of the created files and the permissions to 744
+DATA_DIRECTORY=$HOME/OWASP-Dependency-Check/data
+REPORT_DIRECTORY=/$HOME/OWASP-Dependency-Check/reports
+
+if [ ! -d $DATA_DIRECTORY ]; then
+	echo "Initially creating persistent directories"
+        mkdir -p $DATA_DIRECTORY
+        chmod -R 777 $DATA_DIRECTORY
+    
+        mkdir -p $REPORT_DIRECTORY
+        chmod -R 777 $REPORT_DIRECTORY
+fi
+
+docker pull owasp/dependency-check # Make sure it is the actual version
+
+docker run --rm \
+        --volume $(pwd):/src \
+        --volume $DATA_DIRECTORY:/usr/share/dependency-check/data \
+        --volume $REPORT_DIRECTORY:/report \
+        --name dependency-check \
+        dc \
+        --suppression "/src/security/dependency-check-suppression.xml"\
+        --format "ALL" \
+        --project "My OWASP Dependency Check Project" \
+```
+
+
 Mailing List
 ------------
 
@@ -112,7 +146,7 @@ Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
-Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
+Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt][notices] file for more information.
 
 
   [wiki]: https://github.com/jeremylong/DependencyCheck/wiki

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.4.0</version>
+        <version>1.4.6-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -288,7 +288,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                 <version>${reporting.pmd-plugin.version}</version>
                 <configuration>
                     <targetJdk>1.6</targetJdk>
-                    <linkXref>true</linkXref>
+                    <linkXRef>true</linkXRef>
                     <sourceEncoding>utf-8</sourceEncoding>
                     <excludes>
                         <exclude>**/generated/*.java</exclude>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java

@@ -24,16 +24,21 @@ import org.slf4j.helpers.MarkerIgnoringBase;
 import org.slf4j.helpers.MessageFormatter;
 
 /**
- * An instance of {@link org.slf4j.Logger} which simply calls the log method on the delegate Ant task.
+ * An instance of {@link org.slf4j.Logger} which simply calls the log method on
+ * the delegate Ant task.
  *
  * @author colezlaw
  */
 public class AntLoggerAdapter extends MarkerIgnoringBase {
 
+    /**
+     * serialization UID.
+     */
+    private static final long serialVersionUID = -1337;
     /**
      * A reference to the Ant task used for logging.
      */
-    private Task task;
+    private transient Task task;
 
     /**
      * Constructs an Ant Logger Adapter.

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -18,7 +18,6 @@
 package org.owasp.dependencycheck.taskdefs;
 
 import java.io.File;
-import java.io.IOException;
 import java.util.List;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Project;
@@ -32,9 +31,12 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
 import org.owasp.dependencycheck.utils.Settings;
@@ -51,16 +53,157 @@ public class Check extends Update {
      * System specific new line character.
      */
     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+    /**
+     * Whether the ruby gemspec analyzer should be enabled.
+     */
+    private Boolean rubygemsAnalyzerEnabled;
+    /**
+     * Whether or not the Node.js Analyzer is enabled.
+     */
+    private Boolean nodeAnalyzerEnabled;
+    /**
+     * Whether or not the Ruby Bundle Audit Analyzer is enabled.
+     */
+    private Boolean bundleAuditAnalyzerEnabled;
+    /**
+     * Whether the CMake analyzer should be enabled.
+     */
+    private Boolean cmakeAnalyzerEnabled;
+    /**
+     * Whether or not the Open SSL analyzer is enabled.
+     */
+    private Boolean opensslAnalyzerEnabled;
+    /**
+     * Whether the python package analyzer should be enabled.
+     */
+    private Boolean pyPackageAnalyzerEnabled;
+    /**
+     * Whether the python distribution analyzer should be enabled.
+     */
+    private Boolean pyDistributionAnalyzerEnabled;
+    /**
+     * Whether or not the central analyzer is enabled.
+     */
+    private Boolean centralAnalyzerEnabled;
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private Boolean nexusAnalyzerEnabled;
+    /**
+     * The URL of a Nexus server's REST API end point
+     * (http://domain/nexus/service/local).
+     */
+    private String nexusUrl;
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private Boolean nexusUsesProxy;
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a
+     * comma-separated list of file extensions to treat like ZIP files.
+     */
+    private String zipExtensions;
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
 
     /**
-     * Construct a new DependencyCheckTask.
+     * The application name for the report.
+     *
+     * @deprecated use projectName instead.
      */
-    public Check() {
-        super();
-        // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
-        // core end up coming through this tasks logger
-        StaticLoggerBinder.getSingleton().setTask(this);
-    }
+    @Deprecated
+    private String applicationName = null;
+    /**
+     * The name of the project being analyzed.
+     */
+    private String projectName = "dependency-check";
+    /**
+     * Specifies the destination directory for the generated Dependency-Check
+     * report.
+     */
+    private String reportOutputDirectory = ".";
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified
+     * level is identified. The default is 11 which means since the CVSS scores
+     * are 0-10, by default the build will never fail and the CVSS score is set
+     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
+     * anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
+     * recommended that this be turned to false. Default is true.
+     */
+    private Boolean autoUpdate;
+    /**
+     * Whether only the update phase should be executed.
+     *
+     * @deprecated Use the update task instead
+     */
+    @Deprecated
+    private boolean updateOnly = false;
+
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). Default is
+     * HTML.
+     */
+    private String reportFormat = "HTML";
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+    /**
+     * The path to the suppression file.
+     */
+    private String hintsFile;
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+    /**
+     * Whether experimental analyzers are enabled.
+     */
+    private Boolean enableExperimental;
+    /**
+     * Whether or not the Jar Analyzer is enabled.
+     */
+    private Boolean jarAnalyzerEnabled;
+    /**
+     * Whether or not the Archive Analyzer is enabled.
+     */
+    private Boolean archiveAnalyzerEnabled;
+    /**
+     * Whether or not the .NET Nuspec Analyzer is enabled.
+     */
+    private Boolean nuspecAnalyzerEnabled;
+    /**
+     * Whether or not the PHP Composer Analyzer is enabled.
+     */
+    private Boolean composerAnalyzerEnabled;
+
+    /**
+     * Whether or not the .NET Assembly Analyzer is enabled.
+     */
+    private Boolean assemblyAnalyzerEnabled;
+    /**
+     * Whether the autoconf analyzer should be enabled.
+     */
+    private Boolean autoconfAnalyzerEnabled;
+    /**
+     * Sets the path for the bundle-audit binary.
+     */
+    private String bundleAuditPath;
+    /**
+     * Whether or not the CocoaPods Analyzer is enabled.
+     */
+    private Boolean cocoapodsAnalyzerEnabled;
+
+    /**
+     * Whether or not the Swift package Analyzer is enabled.
+     */
+    private Boolean swiftPackageManagerAnalyzerEnabled;
     //The following code was copied Apache Ant PathConvert
     //BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
     /**
@@ -68,9 +211,9 @@ public class Check extends Update {
      */
     private Resources path = null;
     /**
-     * Reference to path/fileset to convert
+     * Reference to path/file set to convert
      */
-    private Reference refid = null;
+    private Reference refId = null;
 
     /**
      * Add an arbitrary ResourceCollection.
@@ -80,7 +223,7 @@ public class Check extends Update {
      */
     public void add(ResourceCollection rc) {
         if (isReference()) {
-            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
+            throw new BuildException("Nested elements are not allowed when using the refId attribute.");
         }
         getPath().add(rc);
     }
@@ -100,12 +243,12 @@ public class Check extends Update {
     }
 
     /**
-     * Learn whether the refid attribute of this element been set.
+     * Learn whether the refId attribute of this element been set.
      *
-     * @return true if refid is valid.
+     * @return true if refId is valid.
      */
     public boolean isReference() {
-        return refid != null;
+        return refId != null;
     }
 
     /**
@@ -114,11 +257,11 @@ public class Check extends Update {
      *
      * @param r the reference to a path, fileset, dirset or filelist.
      */
-    public void setRefid(Reference r) {
+    public synchronized void setRefId(Reference r) {
         if (path != null) {
-            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
+            throw new BuildException("Nested elements are not allowed when using the refId attribute.");
         }
-        refid = r;
+        refId = r;
     }
 
     /**
@@ -129,22 +272,25 @@ public class Check extends Update {
      */
     private void dealWithReferences() throws BuildException {
         if (isReference()) {
-            final Object o = refid.getReferencedObject(getProject());
+            final Object o = refId.getReferencedObject(getProject());
             if (!(o instanceof ResourceCollection)) {
-                throw new BuildException("refid '" + refid.getRefId()
+                throw new BuildException("refId '" + refId.getRefId()
                         + "' does not refer to a resource collection.");
             }
             getPath().add((ResourceCollection) o);
         }
     }
     // END COPY from org.apache.tools.ant.taskdefs
+
     /**
-     * The application name for the report.
-     *
-     * @deprecated use projectName instead.
+     * Construct a new DependencyCheckTask.
      */
-    @Deprecated
-    private String applicationName = null;
+    public Check() {
+        super();
+        // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
+        // core end up coming through this tasks logger
+        StaticLoggerBinder.getSingleton().setTask(this);
+    }
 
     /**
      * Get the value of applicationName.
@@ -168,10 +314,6 @@ public class Check extends Update {
     public void setApplicationName(String applicationName) {
         this.applicationName = applicationName;
     }
-    /**
-     * The name of the project being analyzed.
-     */
-    private String projectName = "dependency-check";
 
     /**
      * Get the value of projectName.
@@ -197,12 +339,6 @@ public class Check extends Update {
         this.projectName = projectName;
     }
 
-    /**
-     * Specifies the destination directory for the generated Dependency-Check
-     * report.
-     */
-    private String reportOutputDirectory = ".";
-
     /**
      * Get the value of reportOutputDirectory.
      *
@@ -220,14 +356,6 @@ public class Check extends Update {
     public void setReportOutputDirectory(String reportOutputDirectory) {
         this.reportOutputDirectory = reportOutputDirectory;
     }
-    /**
-     * Specifies if the build should be failed if a CVSS score above a specified
-     * level is identified. The default is 11 which means since the CVSS scores
-     * are 0-10, by default the build will never fail and the CVSS score is set
-     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
-     * anything above 10 will not cause the build to fail.
-     */
-    private float failBuildOnCVSS = 11;
 
     /**
      * Get the value of failBuildOnCVSS.
@@ -246,11 +374,6 @@ public class Check extends Update {
     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
-    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
-     * recommended that this be turned to false. Default is true.
-     */
-    private Boolean autoUpdate;
 
     /**
      * Get the value of autoUpdate.
@@ -269,13 +392,6 @@ public class Check extends Update {
     public void setAutoUpdate(Boolean autoUpdate) {
         this.autoUpdate = autoUpdate;
     }
-    /**
-     * Whether only the update phase should be executed.
-     *
-     * @deprecated Use the update task instead
-     */
-    @Deprecated
-    private boolean updateOnly = false;
 
     /**
      * Get the value of updateOnly.
@@ -299,12 +415,6 @@ public class Check extends Update {
         this.updateOnly = updateOnly;
     }
 
-    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). Default is
-     * HTML.
-     */
-    private String reportFormat = "HTML";
-
     /**
      * Get the value of reportFormat.
      *
@@ -322,10 +432,6 @@ public class Check extends Update {
     public void setReportFormat(ReportFormats reportFormat) {
         this.reportFormat = reportFormat.getValue();
     }
-    /**
-     * The path to the suppression file.
-     */
-    private String suppressionFile;
 
     /**
      * Get the value of suppressionFile.
@@ -344,10 +450,24 @@ public class Check extends Update {
     public void setSuppressionFile(String suppressionFile) {
         this.suppressionFile = suppressionFile;
     }
+
     /**
-     * flag indicating whether or not to show a summary of findings.
+     * Get the value of hintsFile.
+     *
+     * @return the value of hintsFile
      */
-    private boolean showSummary = true;
+    public String getHintsFile() {
+        return hintsFile;
+    }
+
+    /**
+     * Set the value of hintsFile.
+     *
+     * @param hintsFile new value of hintsFile
+     */
+    public void setHintsFile(String hintsFile) {
+        this.hintsFile = hintsFile;
+    }
 
     /**
      * Get the value of showSummary.
@@ -367,11 +487,6 @@ public class Check extends Update {
         this.showSummary = showSummary;
     }
 
-    /**
-     * Whether experimental analyzers are enabled.
-     */
-    private Boolean enableExperimental;
-
     /**
      * Get the value of enableExperimental.
      *
@@ -390,11 +505,6 @@ public class Check extends Update {
         this.enableExperimental = enableExperimental;
     }
 
-    /**
-     * Whether or not the Jar Analyzer is enabled.
-     */
-    private Boolean jarAnalyzerEnabled;
-
     /**
      * Returns whether or not the analyzer is enabled.
      *
@@ -412,10 +522,6 @@ public class Check extends Update {
     public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
     }
-    /**
-     * Whether or not the Archive Analyzer is enabled.
-     */
-    private Boolean archiveAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
@@ -425,10 +531,6 @@ public class Check extends Update {
     public Boolean isArchiveAnalyzerEnabled() {
         return archiveAnalyzerEnabled;
     }
-    /**
-     * Whether or not the .NET Assembly Analyzer is enabled.
-     */
-    private Boolean assemblyAnalyzerEnabled;
 
     /**
      * Sets whether or not the analyzer is enabled.
@@ -456,10 +558,6 @@ public class Check extends Update {
     public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
     }
-    /**
-     * Whether or not the .NET Nuspec Analyzer is enabled.
-     */
-    private Boolean nuspecAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
@@ -478,10 +576,6 @@ public class Check extends Update {
     public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
     }
-    /**
-     * Whether or not the PHP Composer Analyzer is enabled.
-     */
-    private Boolean composerAnalyzerEnabled;
 
     /**
      * Get the value of composerAnalyzerEnabled.
@@ -500,10 +594,6 @@ public class Check extends Update {
     public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
     }
-    /**
-     * Whether the autoconf analyzer should be enabled.
-     */
-    private Boolean autoconfAnalyzerEnabled;
 
     /**
      * Get the value of autoconfAnalyzerEnabled.
@@ -522,10 +612,6 @@ public class Check extends Update {
     public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
     }
-    /**
-     * Whether the CMake analyzer should be enabled.
-     */
-    private Boolean cmakeAnalyzerEnabled;
 
     /**
      * Get the value of cmakeAnalyzerEnabled.
@@ -544,10 +630,80 @@ public class Check extends Update {
     public void setCMakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
     }
+
     /**
-     * Whether or not the openssl analyzer is enabled.
+     * Returns if the Bundle Audit Analyzer is enabled.
+     *
+     * @return if the Bundle Audit Analyzer is enabled.
      */
-    private Boolean opensslAnalyzerEnabled;
+    public Boolean isBundleAuditAnalyzerEnabled() {
+        return bundleAuditAnalyzerEnabled;
+    }
+
+    /**
+     * Sets if the Bundle Audit Analyzer is enabled.
+     *
+     * @param bundleAuditAnalyzerEnabled whether or not the analyzer should be
+     * enabled
+     */
+    public void setBundleAuditAnalyzerEnabled(Boolean bundleAuditAnalyzerEnabled) {
+        this.bundleAuditAnalyzerEnabled = bundleAuditAnalyzerEnabled;
+    }
+
+    /**
+     * Returns the path to the bundle audit executable.
+     *
+     * @return the path to the bundle audit executable
+     */
+    public String getBundleAuditPath() {
+        return bundleAuditPath;
+    }
+
+    /**
+     * Sets the path to the bundle audit executable.
+     *
+     * @param bundleAuditPath the path to the bundle audit executable
+     */
+    public void setBundleAuditPath(String bundleAuditPath) {
+        this.bundleAuditPath = bundleAuditPath;
+    }
+
+    /**
+     * Returns if the cocoapods analyzer is enabled.
+     *
+     * @return if the cocoapods analyzer is enabled
+     */
+    public boolean isCocoapodsAnalyzerEnabled() {
+        return cocoapodsAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the cocoapods analyzer is enabled.
+     *
+     * @param cocoapodsAnalyzerEnabled the state of the cocoapods analyzer
+     */
+    public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
+        this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
+    }
+
+    /**
+     * Returns whether or not the Swift package Analyzer is enabled.
+     *
+     * @return whether or not the Swift package Analyzer is enabled
+     */
+    public Boolean isSwiftPackageManagerAnalyzerEnabled() {
+        return swiftPackageManagerAnalyzerEnabled;
+    }
+
+    /**
+     * Sets the enabled state of the swift package manager analyzer.
+     *
+     * @param swiftPackageManagerAnalyzerEnabled the enabled state of the swift
+     * package manager
+     */
+    public void setSwiftPackageManagerAnalyzerEnabled(Boolean swiftPackageManagerAnalyzerEnabled) {
+        this.swiftPackageManagerAnalyzerEnabled = swiftPackageManagerAnalyzerEnabled;
+    }
 
     /**
      * Get the value of opensslAnalyzerEnabled.
@@ -566,10 +722,6 @@ public class Check extends Update {
     public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
     }
-    /**
-     * Whether or not the Node.js Analyzer is enabled.
-     */
-    private Boolean nodeAnalyzerEnabled;
 
     /**
      * Get the value of nodeAnalyzerEnabled.
@@ -588,10 +740,6 @@ public class Check extends Update {
     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
     }
-    /**
-     * Whether the ruby gemspec analyzer should be enabled.
-     */
-    private Boolean rubygemsAnalyzerEnabled;
 
     /**
      * Get the value of rubygemsAnalyzerEnabled.
@@ -610,10 +758,6 @@ public class Check extends Update {
     public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
     }
-    /**
-     * Whether the python package analyzer should be enabled.
-     */
-    private Boolean pyPackageAnalyzerEnabled;
 
     /**
      * Get the value of pyPackageAnalyzerEnabled.
@@ -633,11 +777,6 @@ public class Check extends Update {
         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
     }
 
-    /**
-     * Whether the python distribution analyzer should be enabled.
-     */
-    private Boolean pyDistributionAnalyzerEnabled;
-
     /**
      * Get the value of pyDistributionAnalyzerEnabled.
      *
@@ -657,11 +796,6 @@ public class Check extends Update {
         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
     }
 
-    /**
-     * Whether or not the central analyzer is enabled.
-     */
-    private Boolean centralAnalyzerEnabled;
-
     /**
      * Get the value of centralAnalyzerEnabled.
      *
@@ -680,11 +814,6 @@ public class Check extends Update {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
-    /**
-     * Whether or not the nexus analyzer is enabled.
-     */
-    private Boolean nexusAnalyzerEnabled;
-
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
@@ -703,12 +832,6 @@ public class Check extends Update {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
-    /**
-     * The URL of a Nexus server's REST API end point
-     * (http://domain/nexus/service/local).
-     */
-    private String nexusUrl;
-
     /**
      * Get the value of nexusUrl.
      *
@@ -726,10 +849,6 @@ public class Check extends Update {
     public void setNexusUrl(String nexusUrl) {
         this.nexusUrl = nexusUrl;
     }
-    /**
-     * Whether or not the defined proxy should be used when connecting to Nexus.
-     */
-    private Boolean nexusUsesProxy;
 
     /**
      * Get the value of nexusUsesProxy.
@@ -749,12 +868,6 @@ public class Check extends Update {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
-    /**
-     * Additional ZIP File extensions to add analyze. This should be a
-     * comma-separated list of file extensions to treat like ZIP files.
-     */
-    private String zipExtensions;
-
     /**
      * Get the value of zipExtensions.
      *
@@ -773,11 +886,6 @@ public class Check extends Update {
         this.zipExtensions = zipExtensions;
     }
 
-    /**
-     * The path to Mono for .NET assembly analysis on non-windows systems.
-     */
-    private String pathToMono;
-
     /**
      * Get the value of pathToMono.
      *
@@ -806,10 +914,16 @@ public class Check extends Update {
             engine = new Engine(Check.class.getClassLoader());
             if (isUpdateOnly()) {
                 log("Deprecated 'UpdateOnly' property set; please use the UpdateTask instead", Project.MSG_WARN);
-                engine.doUpdates();
-            } else {
                 try {
-                    for (Resource resource : path) {
+                    engine.doUpdates();
+                } catch (UpdateException ex) {
+                    if (this.isFailOnError()) {
+                        throw new BuildException(ex);
+                    }
+                    log(ex.getMessage(), Project.MSG_ERR);
+                }
+            } else {
+                for (Resource resource : getPath()) {
                     final FileProvider provider = resource.as(FileProvider.class);
                     if (provider != null) {
                         final File file = provider.getFile();
@@ -819,20 +933,21 @@ public class Check extends Update {
                     }
                 }
 
-                    engine.analyzeDependencies();
-                    DatabaseProperties prop = null;
-                    CveDB cve = null;
                 try {
-                        cve = new CveDB();
-                        cve.open();
+                    engine.analyzeDependencies();
+                } catch (ExceptionCollection ex) {
+                    if (this.isFailOnError()) {
+                        throw new BuildException(ex);
+                    }
+                }
+                DatabaseProperties prop = null;
+                try (CveDB cve = CveDB.getInstance()) {
                     prop = cve.getDatabaseProperties();
                 } catch (DatabaseException ex) {
+                    //TODO shouldn't this be a fatal exception
                     log("Unable to retrieve DB Properties", ex, Project.MSG_DEBUG);
-                    } finally {
-                        if (cve != null) {
-                            cve.close();
-                        }
                 }
+
                 final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop);
                 reporter.generateReports(reportOutputDirectory, reportFormat);
 
@@ -842,16 +957,19 @@ public class Check extends Update {
                 if (this.showSummary) {
                     showSummary(engine.getDependencies());
                 }
-                } catch (IOException ex) {
-                    log("Unable to generate dependency-check report", ex, Project.MSG_DEBUG);
-                    throw new BuildException("Unable to generate dependency-check report", ex);
-                } catch (Exception ex) {
-                    log("An exception occurred; unable to continue task", ex, Project.MSG_DEBUG);
-                    throw new BuildException("An exception occurred; unable to continue task", ex);
-                }
             }
         } catch (DatabaseException ex) {
-            log("Unable to connect to the dependency-check database; analysis has stopped", ex, Project.MSG_ERR);
+            final String msg = "Unable to connect to the dependency-check database; analysis has stopped";
+            if (this.isFailOnError()) {
+                throw new BuildException(msg, ex);
+            }
+            log(msg, ex, Project.MSG_ERR);
+        } catch (ReportException ex) {
+            final String msg = "Unable to generate the dependency-check report";
+            if (this.isFailOnError()) {
+                throw new BuildException(msg, ex);
+            }
+            log(msg, ex, Project.MSG_ERR);
         } finally {
             Settings.cleanup(true);
             if (engine != null) {
@@ -867,7 +985,7 @@ public class Check extends Update {
      * @throws BuildException if the task was not configured correctly.
      */
     private void validateConfiguration() throws BuildException {
-        if (path == null) {
+        if (getPath() == null) {
             throw new BuildException("No project dependencies have been defined to analyze.");
         }
         if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
@@ -887,6 +1005,7 @@ public class Check extends Update {
         super.populateSettings();
         Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
         Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
@@ -894,6 +1013,10 @@ public class Check extends Update {
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
+        Settings.setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
         Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
@@ -914,7 +1037,7 @@ public class Check extends Update {
      *
      * @param dependencies the list of dependency objects
      * @throws BuildException thrown if a CVSS score is found that is higher
-     * then the threshold set
+     * than the threshold set
      */
     private void checkForFailure(List<Dependency> dependencies) throws BuildException {
         final StringBuilder ids = new StringBuilder();
@@ -931,7 +1054,7 @@ public class Check extends Update {
         }
         if (ids.length() > 0) {
             final String msg = String.format("%n%nDependency-Check Failure:%n"
-                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '%.1f': %s%n"
                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
             throw new BuildException(msg);
         }

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java

@@ -71,6 +71,36 @@ public class Purge extends Task {
         this.dataDirectory = dataDirectory;
     }
 
+    /**
+     * Indicates if dependency-check should fail the build if an exception
+     * occurs.
+     */
+    private boolean failOnError = true;
+
+    /**
+     * Get the value of failOnError.
+     *
+     * @return the value of failOnError
+     */
+    public boolean isFailOnError() {
+        return failOnError;
+    }
+
+    /**
+     * Set the value of failOnError.
+     *
+     * @param failOnError new value of failOnError
+     */
+    public void setFailOnError(boolean failOnError) {
+        this.failOnError = failOnError;
+    }
+
+    /**
+     * Executes the dependency-check purge to delete the existing local copy of
+     * the NVD CVE data.
+     *
+     * @throws BuildException thrown if there is a problem deleting the file(s)
+     */
     @Override
     public void execute() throws BuildException {
         populateSettings();
@@ -81,38 +111,47 @@ public class Purge extends Task {
                 if (db.delete()) {
                     log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
                 } else {
-                    log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR);
+                    final String msg = String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath());
+                    if (this.failOnError) {
+                        throw new BuildException(msg);
+                    }
+                    log(msg, Project.MSG_ERR);
                 }
             } else {
-                log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR);
+                final String msg = String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath());
+                if (this.failOnError) {
+                    throw new BuildException(msg);
+                }
+                log(msg, Project.MSG_ERR);
             }
         } catch (IOException ex) {
-            log("Unable to delete the database", Project.MSG_ERR);
+            final String msg = "Unable to delete the database";
+            if (this.failOnError) {
+                throw new BuildException(msg);
+            }
+            log(msg, Project.MSG_ERR);
         } finally {
             Settings.cleanup(true);
         }
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
-     * required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy server, port, and connection timeout.
+     *
+     * @throws BuildException thrown if the properties file cannot be read.
      */
-    protected void populateSettings() {
+    protected void populateSettings() throws BuildException {
         Settings.initialize();
-        InputStream taskProperties = null;
-        try {
-            taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
+        try (InputStream taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE)) {
             Settings.mergeProperties(taskProperties);
         } catch (IOException ex) {
-            log("Unable to load the dependency-check ant task.properties file.", ex, Project.MSG_WARN);
-        } finally {
-            if (taskProperties != null) {
-                try {
-                    taskProperties.close();
-                } catch (IOException ex) {
-                    log("", ex, Project.MSG_DEBUG);
-                }
+            final String msg = "Unable to load the dependency-check ant task.properties file.";
+            if (this.failOnError) {
+                throw new BuildException(msg, ex);
             }
+            log(msg, ex, Project.MSG_WARN);
         }
         if (dataDirectory != null) {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java

@@ -18,19 +18,83 @@
 package org.owasp.dependencycheck.taskdefs;
 
 import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.Project;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.impl.StaticLoggerBinder;
 
 /**
- * An Ant task definition to execute dependency-check update. This will download the latest data from the National Vulnerability
- * Database (NVD) and store a copy in the local database.
+ * An Ant task definition to execute dependency-check update. This will download
+ * the latest data from the National Vulnerability Database (NVD) and store a
+ * copy in the local database.
  *
  * @author Jeremy Long
  */
 public class Update extends Purge {
 
+    /**
+     * The Proxy Server.
+     */
+    private String proxyServer;
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+    /**
+     * The number of hours to wait before re-checking for updates.
+     */
+    private Integer cveValidForHours;
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+
     /**
      * Construct a new UpdateTask.
      */
@@ -41,11 +105,6 @@ public class Update extends Purge {
         StaticLoggerBinder.getSingleton().setTask(this);
     }
 
-    /**
-     * The Proxy Server.
-     */
-    private String proxyServer;
-
     /**
      * Get the value of proxyServer.
      *
@@ -64,11 +123,6 @@ public class Update extends Purge {
         this.proxyServer = server;
     }
 
-    /**
-     * The Proxy Port.
-     */
-    private String proxyPort;
-
     /**
      * Get the value of proxyPort.
      *
@@ -86,10 +140,6 @@ public class Update extends Purge {
     public void setProxyPort(String proxyPort) {
         this.proxyPort = proxyPort;
     }
-    /**
-     * The Proxy username.
-     */
-    private String proxyUsername;
 
     /**
      * Get the value of proxyUsername.
@@ -108,10 +158,6 @@ public class Update extends Purge {
     public void setProxyUsername(String proxyUsername) {
         this.proxyUsername = proxyUsername;
     }
-    /**
-     * The Proxy password.
-     */
-    private String proxyPassword;
 
     /**
      * Get the value of proxyPassword.
@@ -130,10 +176,6 @@ public class Update extends Purge {
     public void setProxyPassword(String proxyPassword) {
         this.proxyPassword = proxyPassword;
     }
-    /**
-     * The Connection Timeout.
-     */
-    private String connectionTimeout;
 
     /**
      * Get the value of connectionTimeout.
@@ -152,10 +194,6 @@ public class Update extends Purge {
     public void setConnectionTimeout(String connectionTimeout) {
         this.connectionTimeout = connectionTimeout;
     }
-    /**
-     * The database driver name; such as org.h2.Driver.
-     */
-    private String databaseDriverName;
 
     /**
      * Get the value of databaseDriverName.
@@ -175,11 +213,6 @@ public class Update extends Purge {
         this.databaseDriverName = databaseDriverName;
     }
 
-    /**
-     * The path to the database driver JAR file if it is not on the class path.
-     */
-    private String databaseDriverPath;
-
     /**
      * Get the value of databaseDriverPath.
      *
@@ -197,10 +230,6 @@ public class Update extends Purge {
     public void setDatabaseDriverPath(String databaseDriverPath) {
         this.databaseDriverPath = databaseDriverPath;
     }
-    /**
-     * The database connection string.
-     */
-    private String connectionString;
 
     /**
      * Get the value of connectionString.
@@ -219,10 +248,6 @@ public class Update extends Purge {
     public void setConnectionString(String connectionString) {
         this.connectionString = connectionString;
     }
-    /**
-     * The user name for connecting to the database.
-     */
-    private String databaseUser;
 
     /**
      * Get the value of databaseUser.
@@ -242,11 +267,6 @@ public class Update extends Purge {
         this.databaseUser = databaseUser;
     }
 
-    /**
-     * The password to use when connecting to the database.
-     */
-    private String databasePassword;
-
     /**
      * Get the value of databasePassword.
      *
@@ -265,11 +285,6 @@ public class Update extends Purge {
         this.databasePassword = databasePassword;
     }
 
-    /**
-     * The url for the modified NVD CVE (1.2 schema).
-     */
-    private String cveUrl12Modified;
-
     /**
      * Get the value of cveUrl12Modified.
      *
@@ -288,11 +303,6 @@ public class Update extends Purge {
         this.cveUrl12Modified = cveUrl12Modified;
     }
 
-    /**
-     * The url for the modified NVD CVE (2.0 schema).
-     */
-    private String cveUrl20Modified;
-
     /**
      * Get the value of cveUrl20Modified.
      *
@@ -311,11 +321,6 @@ public class Update extends Purge {
         this.cveUrl20Modified = cveUrl20Modified;
     }
 
-    /**
-     * Base Data Mirror URL for CVE 1.2.
-     */
-    private String cveUrl12Base;
-
     /**
      * Get the value of cveUrl12Base.
      *
@@ -334,11 +339,6 @@ public class Update extends Purge {
         this.cveUrl12Base = cveUrl12Base;
     }
 
-    /**
-     * Data Mirror URL for CVE 2.0.
-     */
-    private String cveUrl20Base;
-
     /**
      * Get the value of cveUrl20Base.
      *
@@ -357,11 +357,6 @@ public class Update extends Purge {
         this.cveUrl20Base = cveUrl20Base;
     }
 
-    /**
-     * The number of hours to wait before re-checking for updates.
-     */
-    private Integer cveValidForHours;
-
     /**
      * Get the value of cveValidForHours.
      *
@@ -381,10 +376,11 @@ public class Update extends Purge {
     }
 
     /**
-     * Executes the update by initializing the settings, downloads the NVD XML data, and then processes the data storing it in the
-     * local database.
+     * Executes the update by initializing the settings, downloads the NVD XML
+     * data, and then processes the data storing it in the local database.
      *
-     * @throws BuildException thrown if a connection to the local database cannot be made.
+     * @throws BuildException thrown if a connection to the local database
+     * cannot be made.
      */
     @Override
     public void execute() throws BuildException {
@@ -392,9 +388,20 @@ public class Update extends Purge {
         Engine engine = null;
         try {
             engine = new Engine(Update.class.getClassLoader());
+            try {
                 engine.doUpdates();
+            } catch (UpdateException ex) {
+                if (this.isFailOnError()) {
+                    throw new BuildException(ex);
+                }
+                log(ex.getMessage(), Project.MSG_ERR);
+            }
         } catch (DatabaseException ex) {
-            throw new BuildException("Unable to connect to the dependency-check database; unable to update the NVD data", ex);
+            final String msg = "Unable to connect to the dependency-check database; unable to update the NVD data";
+            if (this.isFailOnError()) {
+                throw new BuildException(msg, ex);
+            }
+            log(msg, Project.MSG_ERR);
         } finally {
             Settings.cleanup(true);
             if (engine != null) {
@@ -404,8 +411,9 @@ public class Update extends Purge {
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
-     * required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy server, port, and connection timeout.
      *
      * @throws BuildException thrown when an invalid setting is configured.
      */

dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -37,6 +37,11 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
      * The unique instance of this class
      */
     private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
+    /**
+     * Ant tasks have the log method we actually want to call. So we hang onto
+     * the task as a delegate
+     */
+    private Task task = null;
 
     /**
      * Return the singleton of this class.
@@ -47,12 +52,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
         return SINGLETON;
     }
 
-    /**
-     * Ant tasks have the log method we actually want to call. So we hang onto
-     * the task as a delegate
-     */
-    private Task task = null;
-
     /**
      * Set the Task which will this is to log through.
      *

dependency-check-ant/src/site/markdown/config-purge.md

@@ -2,7 +2,7 @@ Configuration
 ====================
 The dependency-check-purge task deletes the local copy of the NVD. This task
 should rarely be used, if ever. This is included as a convenience method in
-the rare circumstance that the local H2 database because corrupt.
+the rare circumstance that the local H2 database becomes corrupt.
 
 ```xml
 <target name="dependency-check-purge" description="Dependency-Check purge">
@@ -15,5 +15,6 @@ Configuration: dependency-check-purge Task
 The following properties can be set on the dependency-check-purge task.
 
 Property              | Description                                                            | Default Value
-----------------------|----------------------------------------------------------------|------------------
+----------------------|------------------------------------------------------------------------|------------------
 dataDirectory         | Data directory that is used to store the local copy of the NVD         | data
+failOnError           | Whether the build should fail if there is an error executing the purge | true

dependency-check-ant/src/site/markdown/config-update.md

@@ -3,7 +3,7 @@ Configuration
 The dependency-check-update task downloads and updates the local copy of the NVD.
 There are several reasons that one may want to use this task; primarily, creating
 an update that will be run only once a day or once every few days (but not greater
-then 7 days) and then use the `autoUpdate="false"` setting on individual
+than 7 days) and then use the `autoUpdate="false"` setting on individual
 dependency-check scans. See [Internet Access Required](https://jeremylong.github.io/DependencyCheck/data/index.html)
 for more information on why this task would be used.
 
@@ -24,6 +24,7 @@ proxyPort             | The Proxy Port.                    |  
 proxyUsername         | Defines the proxy user name.       |  
 proxyPassword         | Defines the proxy password.        |  
 connectionTimeout     | The URL Connection Timeout.        |  
+failOnError           | Whether the build should fail if there is an error executing the update | true
 
 Advanced Configuration
 ====================

dependency-check-ant/src/site/markdown/configuration.md

@@ -34,10 +34,12 @@ Property              | Description
 autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                 | true
 cveValidForHours      | Sets the number of hours to wait before checking for new updates from the NVD                                                                                                                      | 4
 failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
+failOnError           | Whether the build should fail if there is an error executing the dependency-check analysis                                                                                                         | true
 projectName           | The name of the project being scanned.                                                                                                                                                             | Dependency-Check
 reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                   | HTML
 reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                 | 'target'
 suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)                                                                                       |  
+hintsFile             | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                       |  
 proxyServer           | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information.                                                                                                                        |  
 proxyPort             | The Proxy Port.                                                                                                                                                                                    |  
 proxyUsername         | Defines the proxy user name.                                                                                                                                                                       |  
@@ -71,6 +73,10 @@ autoconfAnalyzerEnabled       | Sets whether the [experimental](../analyzers/ind
 composerAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used.   | true
 nodeAnalyzerEnabled           | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used.                  | true
 nuspecAnalyzerEnabled         | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                  | true
+cocoapodsAnalyzerEnabled      | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used.                | true
+bundleAuditAnalyzerEnabled    | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used.             | true
+bundleAuditPath               | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled.  |  
+swiftPackageManagerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Switft Package Analyzer should be used.      | true
 assemblyAnalyzerEnabled       | Sets whether the .NET Assembly Analyzer should be used.                                                    | true
 pathToMono                    | The path to Mono for .NET assembly analysis on non-windows systems.                                        |  
 

dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -31,7 +31,6 @@ import org.owasp.dependencycheck.utils.Settings;
 
 import static org.junit.Assert.assertTrue;
 
-
 /**
  *
  * @author Jeremy Long
@@ -65,15 +64,11 @@ public class DependencyCheckTaskTest {
     @Test
     public void testAddFileSet() throws Exception {
         File report = new File("target/dependency-check-report.html");
-        if (report.exists()) {
-            if (!report.delete()) {
+        if (report.exists() && !report.delete()) {
             throw new Exception("Unable to delete 'target/DependencyCheck-Report.html' prior to test.");
         }
-        }
         buildFileRule.executeTarget("test.fileset");
-
         assertTrue("DependencyCheck report was not generated", report.exists());
-
     }
 
     /**

dependency-check-ant/src/test/resources/build.xml

@@ -61,11 +61,14 @@
 
     <target name="failCVSS">
         <dependency-check
-            applicationName="test formatBAD"
+            applicationName="test failCVSS"
             reportOutputDirectory="${project.build.directory}"
             reportFormat="XML"
             autoupdate="false"
-            failBuildOnCVSS="8">
+            failBuildOnCVSS="3">
+            <fileset dir="${project.build.directory}/test-classes/jars">
+                <include name="axis-1.4.jar"/>
+            </fileset>
         </dependency-check>
     </target>
 </project>

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.4.0</version>
+        <version>1.4.6-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -140,6 +140,8 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                     <binFileExtensions>
                         <unix>.sh</unix>
                     </binFileExtensions>
+                    <configurationDirectory>plugins/*</configurationDirectory>
+                    <includeConfigurationDirectoryInClasspath>true</includeConfigurationDirectoryInClasspath>
                 </configuration>
                 <executions>
                     <execution>
@@ -194,7 +196,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                 <version>${reporting.pmd-plugin.version}</version>
                 <configuration>
                     <targetJdk>1.6</targetJdk>
-                    <linkXref>true</linkXref>
+                    <linkXRef>true</linkXRef>
                     <sourceEncoding>utf-8</sourceEncoding>
                     <excludes>
                         <exclude>**/generated/*.java</exclude>

dependency-check-cli/src/main/assembly/release.xml

@@ -29,6 +29,13 @@
             <outputDirectory>dependency-check/repo</outputDirectory>
             <directory>${project.build.directory}/release/repo</directory>
         </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>dependency-check/plugins</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
         <fileSet>
             <outputDirectory>dependency-check</outputDirectory>
             <includes>
@@ -53,21 +60,4 @@
             </includes>
         </fileSet>
     </fileSets>
-    <!--
-            <fileSets>
-            <fileSet>
-                <outputDirectory>/</outputDirectory>
-                <directory>${project.build.directory}</directory>
-                <includes>
-                    <include>dependency-check*.jar</include>
-                </includes>
-            </fileSet>
-        </fileSets>
-        <dependencySets>
-            <dependencySet>
-                <outputDirectory>/lib</outputDirectory>
-                <scope>runtime</scope>
-            </dependencySet>
-        </dependencySets>
-    -->
 </assembly>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck;
 
 import ch.qos.logback.classic.LoggerContext;
 import ch.qos.logback.classic.encoder.PatternLayoutEncoder;
+import ch.qos.logback.classic.spi.ILoggingEvent;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -32,11 +33,16 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.apache.tools.ant.DirectoryScanner;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import ch.qos.logback.core.FileAppender;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.ReportException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.slf4j.impl.StaticLoggerBinder;
 
 /**
@@ -57,21 +63,26 @@ public class App {
      * @param args the command line arguments
      */
     public static void main(String[] args) {
+        int exitCode = 0;
         try {
             Settings.initialize();
             final App app = new App();
-            app.run(args);
+            exitCode = app.run(args);
+            LOGGER.debug("Exit code: " + exitCode);
         } finally {
             Settings.cleanup(true);
         }
+        System.exit(exitCode);
     }
 
     /**
      * Main CLI entry-point into the application.
      *
      * @param args the command line arguments
+     * @return the exit code to return
      */
-    public void run(String[] args) {
+    public int run(String[] args) {
+        int exitCode = 0;
         final CliParser cli = new CliParser();
 
         try {
@@ -79,11 +90,11 @@ public class App {
         } catch (FileNotFoundException ex) {
             System.err.println(ex.getMessage());
             cli.printHelp();
-            return;
+            return -1;
         } catch (ParseException ex) {
             System.err.println(ex.getMessage());
             cli.printHelp();
-            return;
+            return -2;
         }
 
         if (cli.getVerboseLog() != null) {
@@ -93,8 +104,15 @@ public class App {
         if (cli.isPurge()) {
             if (cli.getConnectionString() != null) {
                 LOGGER.error("Unable to purge the database when using a non-default connection string");
+                exitCode = -3;
             } else {
+                try {
                     populateSettings(cli);
+                } catch (InvalidSettingException ex) {
+                    LOGGER.error(ex.getMessage());
+                    LOGGER.debug("Error loading properties file", ex);
+                    exitCode = -4;
+                }
                 File db;
                 try {
                     db = new File(Settings.getDataDirectory(), "dc.h2.db");
@@ -103,56 +121,115 @@ public class App {
                             LOGGER.info("Database file purged; local copy of the NVD has been removed");
                         } else {
                             LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath());
+                            exitCode = -5;
                         }
                     } else {
                         LOGGER.error("Unable to purge database; the database file does not exists: {}", db.getAbsolutePath());
+                        exitCode = -6;
                     }
                 } catch (IOException ex) {
                     LOGGER.error("Unable to delete the database");
+                    exitCode = -7;
                 }
             }
         } else if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isUpdateOnly()) {
-            populateSettings(cli);
-            runUpdateOnly();
-        } else if (cli.isRunScan()) {
-            populateSettings(cli);
             try {
-                runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), cli.getScanFiles(),
-                        cli.getExcludeList(), cli.getSymLinkDepth());
+                populateSettings(cli);
+            } catch (InvalidSettingException ex) {
+                LOGGER.error(ex.getMessage());
+                LOGGER.debug("Error loading properties file", ex);
+                exitCode = -4;
+            }
+            try {
+                runUpdateOnly();
+            } catch (UpdateException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -8;
+            } catch (DatabaseException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -9;
+            }
+        } else if (cli.isRunScan()) {
+            try {
+                populateSettings(cli);
+            } catch (InvalidSettingException ex) {
+                LOGGER.error(ex.getMessage());
+                LOGGER.debug("Error loading properties file", ex);
+                exitCode = -4;
+            }
+            try {
+                final String[] scanFiles = cli.getScanFiles();
+                if (scanFiles != null) {
+                    exitCode = runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), scanFiles,
+                            cli.getExcludeList(), cli.getSymLinkDepth(), cli.getFailOnCVSS());
+                } else {
+                    LOGGER.error("No scan files configured");
+                }
             } catch (InvalidScanPathException ex) {
                 LOGGER.error("An invalid scan path was detected; unable to scan '//*' paths");
+                exitCode = -10;
+            } catch (DatabaseException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -11;
+            } catch (ReportException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -12;
+            } catch (ExceptionCollection ex) {
+                if (ex.isFatal()) {
+                    exitCode = -13;
+                    LOGGER.error("One or more fatal errors occurred");
+                } else {
+                    exitCode = -14;
+                }
+                for (Throwable e : ex.getExceptions()) {
+                    LOGGER.error(e.getMessage());
+                }
             }
         } else {
             cli.printHelp();
         }
+        return exitCode;
     }
 
     /**
-     * Scans the specified directories and writes the dependency reports to the reportDirectory.
+     * Scans the specified directories and writes the dependency reports to the
+     * reportDirectory.
      *
-     * @param reportDirectory the path to the directory where the reports will be written
+     * @param reportDirectory the path to the directory where the reports will
+     * be written
      * @param outputFormat the output format of the report
      * @param applicationName the application name for the report
      * @param files the files/directories to scan
      * @param excludes the patterns for files/directories to exclude
      * @param symLinkDepth the depth that symbolic links will be followed
+     * @param cvssFailScore the score to fail on if a vulnerability is found
+     * @return the exit code if there was an error
      *
-     * @throws InvalidScanPathException thrown if the path to scan starts with "//"
+     * @throws InvalidScanPathException thrown if the path to scan starts with
+     * "//"
+     * @throws ReportException thrown when the report cannot be generated
+     * @throws DatabaseException thrown when there is an error connecting to the
+     * database
+     * @throws ExceptionCollection thrown when an exception occurs during
+     * analysis; there may be multiple exceptions contained within the
+     * collection.
      */
-    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
-            String[] excludes, int symLinkDepth) throws InvalidScanPathException {
+    private int runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
+            String[] excludes, int symLinkDepth, int cvssFailScore) throws InvalidScanPathException, DatabaseException,
+            ExceptionCollection, ReportException {
         Engine engine = null;
+        int retCode = 0;
         try {
             engine = new Engine();
-            final List<String> antStylePaths = new ArrayList<String>();
+            final List<String> antStylePaths = new ArrayList<>();
             for (String file : files) {
                 final String antPath = ensureCanonicalPath(file);
                 antStylePaths.add(antPath);
             }
 
-            final Set<File> paths = new HashSet<File>();
+            final Set<File> paths = new HashSet<>();
             for (String file : antStylePaths) {
                 LOGGER.debug("Scanning {}", file);
                 final DirectoryScanner scanner = new DirectoryScanner();
@@ -174,8 +251,6 @@ public class App {
                         include = "**/*";
                     }
                 }
-                //LOGGER.debug("baseDir: {}", baseDir);
-                //LOGGER.debug("include: {}", include);
                 scanner.setBasedir(baseDir);
                 final String[] includes = {include};
                 scanner.setIncludes(includes);
@@ -197,34 +272,52 @@ public class App {
             }
             engine.scan(paths);
 
+            ExceptionCollection exCol = null;
+            try {
                 engine.analyzeDependencies();
+            } catch (ExceptionCollection ex) {
+                if (ex.isFatal()) {
+                    throw ex;
+                }
+                exCol = ex;
+            }
             final List<Dependency> dependencies = engine.getDependencies();
             DatabaseProperties prop = null;
-            CveDB cve = null;
-            try {
-                cve = new CveDB();
-                cve.open();
+            try (CveDB cve = CveDB.getInstance()) {
                 prop = cve.getDatabaseProperties();
             } catch (DatabaseException ex) {
+                //TODO shouldn't this be a fatal exception
                 LOGGER.debug("Unable to retrieve DB Properties", ex);
-            } finally {
-                if (cve != null) {
-                    cve.close();
-                }
             }
             final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop);
+
             try {
                 report.generateReports(reportDirectory, outputFormat);
-            } catch (IOException ex) {
-                LOGGER.error("There was an IO error while attempting to generate the report.");
-                LOGGER.debug("", ex);
-            } catch (Throwable ex) {
-                LOGGER.error("There was an error while attempting to generate the report.");
-                LOGGER.debug("", ex);
+            } catch (ReportException ex) {
+                if (exCol != null) {
+                    exCol.addException(ex);
+                    throw exCol;
+                } else {
+                    throw ex;
                 }
-        } catch (DatabaseException ex) {
-            LOGGER.error("Unable to connect to the dependency-check database; analysis has stopped");
-            LOGGER.debug("", ex);
+            }
+            if (exCol != null && exCol.getExceptions().size() > 0) {
+                throw exCol;
+            }
+
+            //Set the exit code based on whether we found a high enough vulnerability
+            for (Dependency dep : dependencies) {
+                if (!dep.getVulnerabilities().isEmpty()) {
+                    for (Vulnerability vuln : dep.getVulnerabilities()) {
+                        LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName());
+                        if (vuln.getCvssScore() > cvssFailScore) {
+                            retCode = 1;
+                        }
+                    }
+                }
+            }
+
+            return retCode;
         } finally {
             if (engine != null) {
                 engine.cleanup();
@@ -234,15 +327,16 @@ public class App {
 
     /**
      * Only executes the update phase of dependency-check.
+     *
+     * @throws UpdateException thrown if there is an error updating
+     * @throws DatabaseException thrown if a fatal error occurred and a
+     * connection to the database could not be established
      */
-    private void runUpdateOnly() {
+    private void runUpdateOnly() throws UpdateException, DatabaseException {
         Engine engine = null;
         try {
             engine = new Engine();
             engine.doUpdates();
-        } catch (DatabaseException ex) {
-            LOGGER.error("Unable to connect to the dependency-check database; analysis has stopped");
-            LOGGER.debug("", ex);
         } finally {
             if (engine != null) {
                 engine.cleanup();
@@ -253,11 +347,13 @@ public class App {
     /**
      * Updates the global Settings.
      *
-     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding settings in
-     * the core engine.
+     * @param cli a reference to the CLI Parser that contains the command line
+     * arguments used to set the corresponding settings in the core engine.
+     *
+     * @throws InvalidSettingException thrown when a user defined properties
+     * file is unable to be loaded.
      */
-    private void populateSettings(CliParser cli) {
-
+    private void populateSettings(CliParser cli) throws InvalidSettingException {
         final boolean autoUpdate = cli.isAutoUpdate();
         final String connectionTimeout = cli.getConnectionTimeout();
         final String proxyServer = cli.getProxyServer();
@@ -267,6 +363,7 @@ public class App {
         final String dataDirectory = cli.getDataDirectory();
         final File propertiesFile = cli.getPropertiesFile();
         final String suppressionFile = cli.getSuppressionFile();
+        final String hintsFile = cli.getHintsFile();
         final String nexusUrl = cli.getNexusUrl();
         final String databaseDriverName = cli.getDatabaseDriverName();
         final String databaseDriverPath = cli.getDatabaseDriverPath();
@@ -286,11 +383,9 @@ public class App {
             try {
                 Settings.mergeProperties(propertiesFile);
             } catch (FileNotFoundException ex) {
-                LOGGER.error("Unable to load properties file '{}'", propertiesFile.getPath());
-                LOGGER.debug("", ex);
+                throw new InvalidSettingException("Unable to find properties file '" + propertiesFile.getPath() + "'", ex);
             } catch (IOException ex) {
-                LOGGER.error("Unable to find properties file '{}'", propertiesFile.getPath());
-                LOGGER.debug("", ex);
+                throw new InvalidSettingException("Error reading properties file '" + propertiesFile.getPath() + "'", ex);
             }
         }
         // We have to wait until we've merged the properties before attempting to set whether we use
@@ -316,6 +411,7 @@ public class App {
         Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
         Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        Settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
         Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
 
         //File Type Analyzer Settings
@@ -332,6 +428,8 @@ public class App {
         Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
+        Settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, !cli.isSwiftPackageAnalyzerDisabled());
+        Settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, !cli.isCocoapodsAnalyzerDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
@@ -367,7 +465,7 @@ public class App {
         encoder.setPattern("%d %C:%L%n%-5level - %msg%n");
         encoder.setContext(context);
         encoder.start();
-        final FileAppender fa = new FileAppender();
+        final FileAppender<ILoggingEvent> fa = new FileAppender<>();
         fa.setAppend(true);
         fa.setEncoder(encoder);
         fa.setContext(context);
@@ -385,15 +483,16 @@ public class App {
     }
 
     /**
-     * Takes a path and resolves it to be a canonical &amp; absolute path. The caveats are that this method will take an Ant style
-     * file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first *
-     * or ?).
+     * Takes a path and resolves it to be a canonical &amp; absolute path. The
+     * caveats are that this method will take an Ant style file selector path
+     * (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at
+     * least to the left of the first * or ?).
      *
      * @param path the path to canonicalize
      * @return the canonical path
      */
     protected String ensureCanonicalPath(String path) {
-        String basePath = null;
+        String basePath;
         String wildCards = null;
         final String file = path.replace('\\', '/');
         if (file.contains("*") || file.contains("?")) {

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -196,6 +196,10 @@ public final class CliParser {
             isValid = false;
             final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
             throw new FileNotFoundException(msg);
+        } else if ((path.endsWith("/*") && !path.endsWith("**/*")) || (path.endsWith("\\*") && path.endsWith("**\\*"))) {
+            final String msg = String.format("Possibly incorrect path '%s' from argument '%s' because it ends with a slash star; "
+                    + "dependency-check uses ant-style paths", path, argumentName);
+            LOGGER.warn(msg);
         }
     }
 
@@ -245,7 +249,7 @@ public final class CliParser {
 
         final Option excludes = Option.builder().argName("pattern").hasArg().longOpt(ARGUMENT.EXCLUDE)
                 .desc("Specify and exclusion pattern. This option can be specified multiple times"
-                        + " and it accepts Ant style excludsions.")
+                        + " and it accepts Ant style exclusions.")
                 .build();
 
         final Option props = Option.builder(ARGUMENT.PROP_SHORT).argName("file").hasArg().longOpt(ARGUMENT.PROP)
@@ -273,12 +277,21 @@ public final class CliParser {
                 .desc("The file path to the suppression XML file.")
                 .build();
 
+        final Option hintsFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.HINTS_FILE)
+                .desc("The file path to the hints XML file.")
+                .build();
+
         final Option cveValidForHours = Option.builder().argName("hours").hasArg().longOpt(ARGUMENT.CVE_VALID_FOR_HOURS)
                 .desc("The number of hours to wait before checking for new updates from the NVD.")
                 .build();
 
         final Option experimentalEnabled = Option.builder().longOpt(ARGUMENT.EXPERIMENTAL)
-                .desc("Enables the experimental analzers.")
+                .desc("Enables the experimental analyzers.")
+                .build();
+
+        final Option failOnCVSS = Option.builder().argName("score").hasArg().longOpt(ARGUMENT.FAIL_ON_CVSS)
+                .desc("Specifies if the build should be failed if a CVSS score above a specified level is identified. "
+                        + "The default is 11; since the CVSS scores are 0-10, by default the build will never fail.")
                 .build();
 
         //This is an option group because it can be specified more then once.
@@ -301,8 +314,10 @@ public final class CliParser {
                 .addOption(props)
                 .addOption(verboseLog)
                 .addOption(suppressionFile)
+                .addOption(hintsFile)
                 .addOption(cveValidForHours)
-                .addOption(experimentalEnabled);
+                .addOption(experimentalEnabled)
+                .addOption(failOnCVSS);
     }
 
     /**
@@ -422,6 +437,11 @@ public final class CliParser {
         final Option disableCmakeAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CMAKE)
                 .desc("Disable the Cmake Analyzer.").build();
 
+        final Option cocoapodsAnalyzerEnabled = Option.builder().longOpt(ARGUMENT.DISABLE_COCOAPODS)
+                .desc("Disable the CocoaPods Analyzer.").build();
+        final Option swiftPackageManagerAnalyzerEnabled = Option.builder().longOpt(ARGUMENT.DISABLE_SWIFT)
+                .desc("Disable the swift package Analyzer.").build();
+
         final Option disableCentralAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CENTRAL)
                 .desc("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
                         + "the Nexus Analyzer.").build();
@@ -466,6 +486,8 @@ public final class CliParser {
                 .addOption(disableNuspecAnalyzer)
                 .addOption(disableCentralAnalyzer)
                 .addOption(disableNexusAnalyzer)
+                .addOption(cocoapodsAnalyzerEnabled)
+                .addOption(swiftPackageManagerAnalyzerEnabled)
                 .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS)
                         .desc("Disable the Node.js Package Analyzer.").build())
                 .addOption(nexusUrl)
@@ -686,6 +708,28 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_NODE_JS);
     }
 
+    /**
+     * Returns true if the disableCocoapodsAnalyzer command line argument was
+     * specified.
+     *
+     * @return true if the disableCocoapodsAnalyzer command line argument was
+     * specified; otherwise false
+     */
+    public boolean isCocoapodsAnalyzerDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_COCOAPODS);
+    }
+
+    /**
+     * Returns true if the disableSwiftPackageManagerAnalyzer command line
+     * argument was specified.
+     *
+     * @return true if the disableSwiftPackageManagerAnalyzer command line
+     * argument was specified; otherwise false
+     */
+    public boolean isSwiftPackageAnalyzerDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_SWIFT);
+    }
+
     /**
      * Returns true if the disableCentral command line argument was specified.
      *
@@ -958,6 +1002,15 @@ public final class CliParser {
         return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
     }
 
+    /**
+     * Returns the path to the hints file.
+     *
+     * @return the path to the hints file
+     */
+    public String getHintsFile() {
+        return line.getOptionValue(ARGUMENT.HINTS_FILE);
+    }
+
     /**
      * <p>
      * Prints the manifest information to standard output.</p>
@@ -966,7 +1019,7 @@ public final class CliParser {
      */
     public void printVersionInfo() {
         final String version = String.format("%s version %s",
-                Settings.getString(Settings.KEYS.APPLICATION_VAME, "dependency-check"),
+                Settings.getString(Settings.KEYS.APPLICATION_NAME, "dependency-check"),
                 Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
         System.out.println(version);
     }
@@ -1087,6 +1140,25 @@ public final class CliParser {
         return line.hasOption(ARGUMENT.EXPERIMENTAL);
     }
 
+    /**
+     * Returns the CVSS value to fail on.
+     *
+     * @return 11 if nothing is set. Otherwise it returns the int passed from
+     * the command line arg
+     */
+    public int getFailOnCVSS() {
+        if (line.hasOption(ARGUMENT.FAIL_ON_CVSS)) {
+            final String value = line.getOptionValue(ARGUMENT.FAIL_ON_CVSS);
+            try {
+                return Integer.parseInt(value);
+            } catch (NumberFormatException nfe) {
+                return 11;
+            }
+        } else {
+            return 11;
+        }
+    }
+
     /**
      * A collection of static final strings that represent the possible command
      * line arguments.
@@ -1269,8 +1341,12 @@ public final class CliParser {
          */
         public static final String SUPPRESSION_FILE = "suppression";
         /**
-         * The CLI argument name for setting the location of the suppression
-         * file.
+         * The CLI argument name for setting the location of the hint file.
+         */
+        public static final String HINTS_FILE = "hints";
+        /**
+         * The CLI argument name for setting the number of hours to wait before
+         * checking for new updates from the NVD.
          */
         public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
         /**
@@ -1305,6 +1381,14 @@ public final class CliParser {
          * Disables the Cmake Analyzer.
          */
         public static final String DISABLE_CMAKE = "disableCmake";
+        /**
+         * Disables the cocoapods analyzer.
+         */
+        public static final String DISABLE_COCOAPODS = "disableCocoapodsAnalyzer";
+        /**
+         * Disables the swift package manager analyzer.
+         */
+        public static final String DISABLE_SWIFT = "disableSwiftPackageManagerAnalyzer";
         /**
          * Disables the Assembly Analyzer.
          */
@@ -1385,5 +1469,9 @@ public final class CliParser {
          * The CLI argument to enable the experimental analyzers.
          */
         private static final String EXPERIMENTAL = "enableExperimental";
+        /**
+         * The CLI argument to enable the experimental analyzers.
+         */
+        private static final String FAIL_ON_CVSS = "failOnCVSS";
     }
 }

dependency-check-cli/src/site/markdown/arguments.md

@@ -11,6 +11,7 @@ Short  | Argument Name   | Parameter       | Description | Requir
        | \-\-symLink           | \<depth\>       | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional
  \-o   | \-\-out               | \<path\>        | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name. | Optional
  \-f   | \-\-format            | \<format\>      | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
+       | \-\-failOnCvss        | \<score\>       | If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified. | Optional
  \-l   | \-\-log               | \<file\>        | The file path to write verbose logging information. | Optional
  \-n   | \-\-noupdate          |                 | Disables the automatic updating of the CPE data. | Optional
        | \-\-suppression       | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../general/suppression.html). | Optional
@@ -35,6 +36,8 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
        | \-\-disableNodeJS     |                 | Sets whether the [experimental](../analyzers/index.html) Node.js Package Analyzer will be used.                          | false
        | \-\-disableRubygems   |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                             | false
        | \-\-disableBundleAudit |                | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                       | false
+       | \-\-disableCocoapodsAnalyzer |          | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used.                                | false
+       | \-\-disableSwiftPackageManagerAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used.                   | false
        | \-\-disableAutoconf   |                 | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used.                                 | false
        | \-\-disableOpenSSL    |                 | Sets whether the OpenSSL Analyzer will be used.                                                                          | false
        | \-\-disableCmake      |                 | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled.                                | false

dependency-check-cli/src/site/markdown/index.md.vm

@@ -9,10 +9,7 @@ Installation & Usage
 ====================
 Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
 Extract the zip file to a location on your computer and put the 'bin' directory into the
-path environment variable. On \*nix systems you will likely need to make the shell
-script executable:
-
-    $ chmod +777 dependency-check.sh
+path environment variable.
 
 #set( $H = '#' )
 

dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java

@@ -17,10 +17,6 @@
  */
 package org.owasp.dependencycheck;
 
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import static org.junit.Assert.*;
 
@@ -29,26 +25,6 @@ import static org.junit.Assert.*;
  * @author jeremy
  */
 public class AppTest {
-
-    public AppTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
-
     /**
      * Test of ensureCanonicalPath method, of class App.
      */

dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java

@@ -17,17 +17,14 @@
  */
 package org.owasp.dependencycheck;
 
-import org.owasp.dependencycheck.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import org.apache.commons.cli.ParseException;
-import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Assert;
-import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.utils.Settings;
@@ -48,14 +45,6 @@ public class CliParserTest {
         Settings.cleanup(true);
     }
 
-    @Before
-    public void setUp() throws Exception {
-    }
-
-    @After
-    public void tearDown() throws Exception {
-    }
-
     /**
      * Test of parse method, of class CliParser.
      *
@@ -115,6 +104,63 @@ public class CliParserTest {
 
     }
 
+    /**
+     * Test of parse method with failOnCVSS without an argument
+     *
+     * @throws Exception thrown when an exception occurs.
+     */
+    @Test
+    public void testParse_failOnCVSSNoArg() throws Exception {
+
+        String[] args = {"--failOnCVSS"};
+
+        CliParser instance = new CliParser();
+        try {
+            instance.parse(args);
+        } catch (ParseException ex) {
+            Assert.assertTrue(ex.getMessage().contains("Missing argument"));
+        }
+        Assert.assertFalse(instance.isGetVersion());
+        Assert.assertFalse(instance.isGetHelp());
+        Assert.assertFalse(instance.isRunScan());
+    }
+
+    /**
+     * Test of parse method with failOnCVSS invalid argument. It should default to 11
+     *
+     * @throws Exception thrown when an exception occurs.
+     */
+    @Test
+    public void testParse_failOnCVSSInvalidArgument() throws Exception {
+
+        String[] args = {"--failOnCVSS","bad"};
+
+        CliParser instance = new CliParser();
+        instance.parse(args);
+        Assert.assertEquals("Default should be 11", 11, instance.getFailOnCVSS());
+        Assert.assertFalse(instance.isGetVersion());
+        Assert.assertFalse(instance.isGetHelp());
+        Assert.assertFalse(instance.isRunScan());
+    }
+
+    /**
+     * Test of parse method with failOnCVSS invalid argument. It should default to 11
+     *
+     * @throws Exception thrown when an exception occurs.
+     */
+    @Test
+    public void testParse_failOnCVSSValidArgument() throws Exception {
+
+        String[] args = {"--failOnCVSS","6"};
+
+        CliParser instance = new CliParser();
+        instance.parse(args);
+        Assert.assertEquals(6, instance.getFailOnCVSS());
+        Assert.assertFalse(instance.isGetVersion());
+        Assert.assertFalse(instance.isGetHelp());
+        Assert.assertFalse(instance.isRunScan());
+    }
+
     /**
      * Test of parse method with jar and cpe args, of class CliParser.
      *
@@ -196,7 +242,7 @@ public class CliParserTest {
      */
     @Test
     public void testParse_scan_withFileExists() throws Exception {
-        File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").getPath());
+        File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         String[] args = {"-scan", path.getCanonicalPath(), "-out", "./", "-app", "test"};
 
         CliParser instance = new CliParser();

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.4.0</version>
+        <version>1.4.6-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -244,7 +244,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <version>${reporting.pmd-plugin.version}</version>
                 <configuration>
                     <targetJdk>1.6</targetJdk>
-                    <linkXref>true</linkXref>
+                    <linkXRef>true</linkXRef>
                     <sourceEncoding>utf-8</sourceEncoding>
                     <excludes>
                         <exclude>**/generated/*.java</exclude>
@@ -261,6 +261,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     </reporting>
     <dependencies>
         <!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
+        <dependency>
+            <groupId>joda-time</groupId>
+            <artifactId>joda-time</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.google.code.findbugs</groupId>
             <artifactId>annotations</artifactId>
@@ -459,6 +463,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>test</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.8</version>
+            <scope>test</scope>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>
@@ -568,15 +579,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 </plugins>
             </build>
         </profile>
-        <profile>
-            <!-- The following profile adds additional
-            dependencies that are only used during testing.
-            Additionally, these are only added when using "allTests" to
-            make the build slightly faster in most cases. -->
+        <!-- 
+            The following profile adds additional dependencies that are only 
+            used during testing.
+        
+            TODO move the following FP tests to a seperate invoker test in the
+            maven plugin project. Add checks against the XML to validate that
+            these do not report FP.
+        -->
+        <!--profile>
             <id>False Positive Tests</id>
             <activation>
                 <property>
-                    <name>allTests</name>
+                    <name>releaseTesting</name>
                 </property>
             </activation>
             <dependencies>
@@ -587,13 +602,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <scope>test</scope>
                     <optional>true</optional>
                 </dependency>
-                <dependency>
-                    <groupId>com.thoughtworks.xstream</groupId>
-                    <artifactId>xstream</artifactId>
-                    <version>1.4.2</version>
-                    <scope>test</scope>
-                    <optional>true</optional>
-                </dependency>
                 <dependency>
                     <groupId>org.apache.ws.security</groupId>
                     <artifactId>wss4j</artifactId>
@@ -664,13 +672,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <scope>test</scope>
                     <optional>true</optional>
                 </dependency>
-                <dependency>
-                    <groupId>org.springframework</groupId>
-                    <artifactId>spring-webmvc</artifactId>
-                    <version>3.2.12.RELEASE</version>
-                    <scope>test</scope>
-                    <optional>true</optional>
-                </dependency>
                 <dependency>
                     <groupId>com.google.code.gson</groupId>
                     <artifactId>gson</artifactId>
@@ -728,6 +729,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <optional>true</optional>
                 </dependency>
             </dependencies>
-        </profile>
+        </profile-->
     </profiles>
 </project>

dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java

@@ -0,0 +1,129 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Stefan Neuhaus. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+import java.util.concurrent.Callable;
+
+/**
+ * Task to support parallelism of dependency-check analysis. Analyses a single
+ * {@link Dependency} by a specific {@link Analyzer}.
+ *
+ * @author Stefan Neuhaus
+ */
+public class AnalysisTask implements Callable<Void> {
+
+    /**
+     * Instance of the logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AnalysisTask.class);
+
+    /**
+     * A reference to the analyzer.
+     */
+    private final Analyzer analyzer;
+    /**
+     * The dependency to analyze.
+     */
+    private final Dependency dependency;
+    /**
+     * A reference to the dependency-check engine.
+     */
+    private final Engine engine;
+    /**
+     * The list of exceptions that may occur during analysis.
+     */
+    private final List<Throwable> exceptions;
+    /**
+     * A reference to the global settings object.
+     */
+    private final Settings settings;
+
+    /**
+     * Creates a new analysis task.
+     *
+     * @param analyzer a reference of the analyzer to execute
+     * @param dependency the dependency to analyze
+     * @param engine the dependency-check engine
+     * @param exceptions exceptions that occur during analysis will be added to
+     * this collection of exceptions
+     * @param settings a reference to the global settings object; this is
+     * necessary so that when the thread is started the dependencies have a
+     * correct reference to the global settings.
+     */
+    AnalysisTask(Analyzer analyzer, Dependency dependency, Engine engine, List<Throwable> exceptions, Settings settings) {
+        this.analyzer = analyzer;
+        this.dependency = dependency;
+        this.engine = engine;
+        this.exceptions = exceptions;
+        this.settings = settings;
+    }
+
+    /**
+     * Executes the analysis task.
+     *
+     * @return null
+     */
+    @Override
+    public Void call() {
+        try {
+            Settings.setInstance(settings);
+
+            if (shouldAnalyze()) {
+                LOGGER.debug("Begin Analysis of '{}' ({})", dependency.getActualFilePath(), analyzer.getName());
+                try {
+                    analyzer.analyze(dependency, engine);
+                } catch (AnalysisException ex) {
+                    LOGGER.warn("An error occurred while analyzing '{}' ({}).", dependency.getActualFilePath(), analyzer.getName());
+                    LOGGER.debug("", ex);
+                    exceptions.add(ex);
+                } catch (Throwable ex) {
+                    LOGGER.warn("An unexpected error occurred during analysis of '{}' ({}): {}",
+                            dependency.getActualFilePath(), analyzer.getName(), ex.getMessage());
+                    LOGGER.debug("", ex);
+                    exceptions.add(ex);
+                }
+            }
+        } finally {
+            Settings.cleanup(false);
+        }
+        return null;
+    }
+
+    /**
+     * Determines if the analyzer can analyze the given dependency.
+     *
+     * @return whether or not the analyzer can analyze the dependency
+     */
+    protected boolean shouldAnalyze() {
+        if (analyzer instanceof FileTypeAnalyzer) {
+            final FileTypeAnalyzer fileTypeAnalyzer = (FileTypeAnalyzer) analyzer;
+            return fileTypeAnalyzer.accept(dependency.getActualFile());
+        }
+
+        return true;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -21,7 +21,6 @@ import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
 import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -29,6 +28,8 @@ import org.owasp.dependencycheck.data.update.CachedWebDataSource;
 import org.owasp.dependencycheck.data.update.UpdateService;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
@@ -37,18 +38,28 @@ import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.FileFilter;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.EnumMap;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.concurrent.CancellationException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
 
 /**
- * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a
- * file is encountered and an Analyzer is associated with the file type then the file is turned into a dependency.
+ * Scans files, directories, etc. for Dependencies. Analyzers are loaded and
+ * used to process the files found by the scan, if a file is encountered and an
+ * Analyzer is associated with the file type then the file is turned into a
+ * dependency.
  *
  * @author Jeremy Long
  */
@@ -57,21 +68,26 @@ public class Engine implements FileFilter {
     /**
      * The list of dependencies.
      */
-    private List<Dependency> dependencies = new ArrayList<Dependency>();
+    private final List<Dependency> dependencies = Collections.synchronizedList(new ArrayList<Dependency>());
     /**
      * A Map of analyzers grouped by Analysis phase.
      */
-    private Map<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+    private final Map<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<>(AnalysisPhase.class);
 
     /**
      * A Map of analyzers grouped by Analysis phase.
      */
-    private Set<FileTypeAnalyzer> fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
+    private final Set<FileTypeAnalyzer> fileTypeAnalyzers = new HashSet<>();
 
     /**
-     * The ClassLoader to use when dynamically loading Analyzer and Update services.
+     * The ClassLoader to use when dynamically loading Analyzer and Update
+     * services.
      */
     private ClassLoader serviceClassLoader = Thread.currentThread().getContextClassLoader();
+    /**
+     * A reference to the database.
+     */
+    private CveDB database = null;
     /**
      * The Logger for use throughout the class.
      */
@@ -80,7 +96,8 @@ public class Engine implements FileFilter {
     /**
      * Creates a new Engine.
      *
-     * @throws DatabaseException thrown if there is an error connecting to the database
+     * @throws DatabaseException thrown if there is an error connecting to the
+     * database
      */
     public Engine() throws DatabaseException {
         initializeEngine();
@@ -90,7 +107,8 @@ public class Engine implements FileFilter {
      * Creates a new Engine.
      *
      * @param serviceClassLoader a reference the class loader being used
-     * @throws DatabaseException thrown if there is an error connecting to the database
+     * @throws DatabaseException thrown if there is an error connecting to the
+     * database
      */
     public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
         this.serviceClassLoader = serviceClassLoader;
@@ -98,9 +116,11 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
+     * Creates a new Engine using the specified classloader to dynamically load
+     * Analyzer and Update services.
      *
-     * @throws DatabaseException thrown if there is an error connecting to the database
+     * @throws DatabaseException thrown if there is an error connecting to the
+     * database
      */
     protected final void initializeEngine() throws DatabaseException {
         ConnectionFactory.initialize();
@@ -111,11 +131,16 @@ public class Engine implements FileFilter {
      * Properly cleans up resources allocated during analysis.
      */
     public void cleanup() {
+        if (database != null) {
+            database.close();
+            database = null;
+        }
         ConnectionFactory.cleanup();
     }
 
     /**
-     * Loads the analyzers specified in the configuration file (or system properties).
+     * Loads the analyzers specified in the configuration file (or system
+     * properties).
      */
     private void loadAnalyzers() {
         if (!analyzers.isEmpty()) {
@@ -146,11 +171,17 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Get the dependencies identified.
+     * Get the dependencies identified. The returned list is a reference to the
+     * engine's synchronized list. <b>You must synchronize on the returned
+     * list</b> when you modify and iterate over it from multiple threads. E.g.
+     * this holds for analyzers supporting parallel processing during their
+     * analysis phase.
      *
      * @return the dependencies identified
+     * @see Collections#synchronizedList(List)
+     * @see Analyzer#supportsParallelProcessing()
      */
-    public List<Dependency> getDependencies() {
+    public synchronized List<Dependency> getDependencies() {
         return dependencies;
     }
 
@@ -160,21 +191,40 @@ public class Engine implements FileFilter {
      * @param dependencies the dependencies
      */
     public void setDependencies(List<Dependency> dependencies) {
-        this.dependencies = dependencies;
+        synchronized (this.dependencies) {
+            this.dependencies.clear();
+            this.dependencies.addAll(dependencies);
+        }
     }
 
     /**
-     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
-     * identified are added to the dependency collection.
+     * Scans an array of files or directories. If a directory is specified, it
+     * will be scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
      *
      * @param paths an array of paths to files or directories to be analyzed
      * @return the list of dependencies scanned
      * @since v0.3.2.5
      */
     public List<Dependency> scan(String[] paths) {
-        final List<Dependency> deps = new ArrayList<Dependency>();
+        return scan(paths, null);
+    }
+
+    /**
+     * Scans an array of files or directories. If a directory is specified, it
+     * will be scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
+     *
+     * @param paths an array of paths to files or directories to be analyzed
+     * @param projectReference the name of the project or scope in which the
+     * dependency was identified
+     * @return the list of dependencies scanned
+     * @since v1.4.4
+     */
+    public List<Dependency> scan(String[] paths, String projectReference) {
+        final List<Dependency> deps = new ArrayList<>();
         for (String path : paths) {
-            final List<Dependency> d = scan(path);
+            final List<Dependency> d = scan(path, projectReference);
             if (d != null) {
                 deps.addAll(d);
             }
@@ -183,29 +233,61 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies identified
-     * are added to the dependency collection.
+     * Scans a given file or directory. If a directory is specified, it will be
+     * scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
      *
      * @param path the path to a file or directory to be analyzed
      * @return the list of dependencies scanned
      */
     public List<Dependency> scan(String path) {
-        final File file = new File(path);
-        return scan(file);
+        return scan(path, null);
     }
 
     /**
-     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
-     * identified are added to the dependency collection.
+     * Scans a given file or directory. If a directory is specified, it will be
+     * scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
+     *
+     * @param path the path to a file or directory to be analyzed
+     * @param projectReference the name of the project or scope in which the
+     * dependency was identified
+     * @return the list of dependencies scanned
+     * @since v1.4.4
+     */
+    public List<Dependency> scan(String path, String projectReference) {
+        final File file = new File(path);
+        return scan(file, projectReference);
+    }
+
+    /**
+     * Scans an array of files or directories. If a directory is specified, it
+     * will be scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
      *
      * @param files an array of paths to files or directories to be analyzed.
      * @return the list of dependencies
      * @since v0.3.2.5
      */
     public List<Dependency> scan(File[] files) {
-        final List<Dependency> deps = new ArrayList<Dependency>();
+        return scan(files, null);
+    }
+
+    /**
+     * Scans an array of files or directories. If a directory is specified, it
+     * will be scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
+     *
+     * @param files an array of paths to files or directories to be analyzed.
+     * @param projectReference the name of the project or scope in which the
+     * dependency was identified
+     * @return the list of dependencies
+     * @since v1.4.4
+     */
+    public List<Dependency> scan(File[] files, String projectReference) {
+        final List<Dependency> deps = new ArrayList<>();
         for (File file : files) {
-            final List<Dependency> d = scan(file);
+            final List<Dependency> d = scan(file, projectReference);
             if (d != null) {
                 deps.addAll(d);
             }
@@ -214,17 +296,33 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Scans a collection of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
-     * identified are added to the dependency collection.
+     * Scans a collection of files or directories. If a directory is specified,
+     * it will be scanned recursively. Any dependencies identified are added to
+     * the dependency collection.
      *
      * @param files a set of paths to files or directories to be analyzed
      * @return the list of dependencies scanned
      * @since v0.3.2.5
      */
     public List<Dependency> scan(Collection<File> files) {
-        final List<Dependency> deps = new ArrayList<Dependency>();
+        return scan(files, null);
+    }
+
+    /**
+     * Scans a collection of files or directories. If a directory is specified,
+     * it will be scanned recursively. Any dependencies identified are added to
+     * the dependency collection.
+     *
+     * @param files a set of paths to files or directories to be analyzed
+     * @param projectReference the name of the project or scope in which the
+     * dependency was identified
+     * @return the list of dependencies scanned
+     * @since v1.4.4
+     */
+    public List<Dependency> scan(Collection<File> files, String projectReference) {
+        final List<Dependency> deps = new ArrayList<>();
         for (File file : files) {
-            final List<Dependency> d = scan(file);
+            final List<Dependency> d = scan(file, projectReference);
             if (d != null) {
                 deps.addAll(d);
             }
@@ -233,21 +331,37 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies identified
-     * are added to the dependency collection.
+     * Scans a given file or directory. If a directory is specified, it will be
+     * scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
      *
      * @param file the path to a file or directory to be analyzed
      * @return the list of dependencies scanned
      * @since v0.3.2.4
      */
     public List<Dependency> scan(File file) {
+        return scan(file, null);
+    }
+
+    /**
+     * Scans a given file or directory. If a directory is specified, it will be
+     * scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
+     *
+     * @param file the path to a file or directory to be analyzed
+     * @param projectReference the name of the project or scope in which the
+     * dependency was identified
+     * @return the list of dependencies scanned
+     * @since v1.4.4
+     */
+    public List<Dependency> scan(File file, String projectReference) {
         if (file.exists()) {
             if (file.isDirectory()) {
-                return scanDirectory(file);
+                return scanDirectory(file, projectReference);
             } else {
-                final Dependency d = scanFile(file);
+                final Dependency d = scanFile(file, projectReference);
                 if (d != null) {
-                    final List<Dependency> deps = new ArrayList<Dependency>();
+                    final List<Dependency> deps = new ArrayList<>();
                     deps.add(d);
                     return deps;
                 }
@@ -257,23 +371,38 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Recursively scans files and directories. Any dependencies identified are added to the dependency collection.
+     * Recursively scans files and directories. Any dependencies identified are
+     * added to the dependency collection.
      *
      * @param dir the directory to scan
      * @return the list of Dependency objects scanned
      */
     protected List<Dependency> scanDirectory(File dir) {
+        return scanDirectory(dir, null);
+    }
+
+    /**
+     * Recursively scans files and directories. Any dependencies identified are
+     * added to the dependency collection.
+     *
+     * @param dir the directory to scan
+     * @param projectReference the name of the project or scope in which the
+     * dependency was identified
+     * @return the list of Dependency objects scanned
+     * @since v1.4.4
+     */
+    protected List<Dependency> scanDirectory(File dir, String projectReference) {
         final File[] files = dir.listFiles();
-        final List<Dependency> deps = new ArrayList<Dependency>();
+        final List<Dependency> deps = new ArrayList<>();
         if (files != null) {
             for (File f : files) {
                 if (f.isDirectory()) {
-                    final List<Dependency> d = scanDirectory(f);
+                    final List<Dependency> d = scanDirectory(f, projectReference);
                     if (d != null) {
                         deps.addAll(d);
                     }
                 } else {
-                    final Dependency d = scanFile(f);
+                    final Dependency d = scanFile(f, projectReference);
                     deps.add(d);
                 }
             }
@@ -282,91 +411,117 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
+     * Scans a specified file. If a dependency is identified it is added to the
+     * dependency collection.
      *
      * @param file The file to scan
      * @return the scanned dependency
      */
     protected Dependency scanFile(File file) {
+        return scanFile(file, null);
+    }
+
+    /**
+     * Scans a specified file. If a dependency is identified it is added to the
+     * dependency collection.
+     *
+     * @param file The file to scan
+     * @param projectReference the name of the project or scope in which the
+     * dependency was identified
+     * @return the scanned dependency
+     * @since v1.4.4
+     */
+    protected Dependency scanFile(File file, String projectReference) {
         Dependency dependency = null;
         if (file.isFile()) {
             if (accept(file)) {
                 dependency = new Dependency(file);
+                if (projectReference != null) {
+                    dependency.addProjectReference(projectReference);
+                }
+                final String sha1 = dependency.getSha1sum();
+                boolean found = false;
+                synchronized (dependencies) {
+                    if (sha1 != null) {
+                        for (Dependency existing : dependencies) {
+                            if (sha1.equals(existing.getSha1sum())) {
+                                found = true;
+                                if (projectReference != null) {
+                                    existing.addProjectReference(projectReference);
+                                }
+                                if (existing.getActualFilePath() != null && dependency.getActualFilePath() != null
+                                        && !existing.getActualFilePath().equals(dependency.getActualFilePath())) {
+                                    existing.addRelatedDependency(dependency);
+                                } else {
+                                    dependency = existing;
+                                }
+                                break;
+                            }
+                        }
+                    }
+                    if (!found) {
                         dependencies.add(dependency);
                     }
+                }
             } else {
                 LOGGER.debug("Path passed to scanFile(File) is not a file: {}. Skipping the file.", file);
             }
+        }
         return dependency;
     }
 
     /**
-     * Runs the analyzers against all of the dependencies. Since the mutable dependencies list is exposed via
-     * {@link #getDependencies()}, this method iterates over a copy of the dependencies list. Thus, the potential for
-     * {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries from the
-     * dependencies list.
+     * Runs the analyzers against all of the dependencies. Since the mutable
+     * dependencies list is exposed via {@link #getDependencies()}, this method
+     * iterates over a copy of the dependencies list. Thus, the potential for
+     * {@link java.util.ConcurrentModificationException}s is avoided, and
+     * analyzers may safely add or remove entries from the dependencies list.
+     * <p>
+     * Every effort is made to complete analysis on the dependencies. In some
+     * cases an exception will occur with part of the analysis being performed
+     * which may not affect the entire analysis. If an exception occurs it will
+     * be included in the thrown exception collection.
+     *
+     * @throws ExceptionCollection a collections of any exceptions that occurred
+     * during analysis
      */
-    public void analyzeDependencies() {
-        boolean autoUpdate = true;
-        try {
-            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
-        } catch (InvalidSettingException ex) {
-            LOGGER.debug("Invalid setting for auto-update; using true.");
-        }
-        if (autoUpdate) {
-            doUpdates();
-        }
+    public void analyzeDependencies() throws ExceptionCollection {
+        final List<Throwable> exceptions = Collections.synchronizedList(new ArrayList<Throwable>());
+
+        initializeAndUpdateDatabase(exceptions);
 
         //need to ensure that data exists
         try {
             ensureDataExists();
         } catch (NoDataException ex) {
-            LOGGER.error("{}\n\nUnable to continue dependency-check analysis.", ex.getMessage());
-            LOGGER.debug("", ex);
-            return;
-        } catch (DatabaseException ex) {
-            LOGGER.error("{}\n\nUnable to continue dependency-check analysis.", ex.getMessage());
-            LOGGER.debug("", ex);
-            return;
-
+            throwFatalExceptionCollection("Unable to continue dependency-check analysis.", ex, exceptions);
         }
 
         LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------");
-        LOGGER.info("Analysis Starting");
+        LOGGER.info("Analysis Started");
         final long analysisStart = System.currentTimeMillis();
 
         // analysis phases
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             final List<Analyzer> analyzerList = analyzers.get(phase);
 
-            for (Analyzer a : analyzerList) {
-                a = initializeAnalyzer(a);
-
-                /* need to create a copy of the collection because some of the
-                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
-                 * This is okay for adds/deletes because it happens per analyzer.
-                 */
-                LOGGER.debug("Begin Analyzer '{}'", a.getName());
-                final Set<Dependency> dependencySet = new HashSet<Dependency>(dependencies);
-                for (Dependency d : dependencySet) {
-                    boolean shouldAnalyze = true;
-                    if (a instanceof FileTypeAnalyzer) {
-                        final FileTypeAnalyzer fAnalyzer = (FileTypeAnalyzer) a;
-                        shouldAnalyze = fAnalyzer.accept(d.getActualFile());
-                    }
-                    if (shouldAnalyze) {
-                        LOGGER.debug("Begin Analysis of '{}'", d.getActualFilePath());
+            for (final Analyzer analyzer : analyzerList) {
+                final long analyzerStart = System.currentTimeMillis();
                 try {
-                            a.analyze(d, this);
-                        } catch (AnalysisException ex) {
-                            LOGGER.warn("An error occurred while analyzing '{}'.", d.getActualFilePath());
-                            LOGGER.debug("", ex);
-                        } catch (Throwable ex) {
-                            //final AnalysisException ax = new AnalysisException(axMsg, ex);
-                            LOGGER.warn("An unexpected error occurred during analysis of '{}'", d.getActualFilePath());
-                            LOGGER.debug("", ex);
-                        }
+                    initializeAnalyzer(analyzer);
+                } catch (InitializationException ex) {
+                    exceptions.add(ex);
+                    continue;
                 }
+
+                if (analyzer.isEnabled()) {
+                    executeAnalysisTasks(analyzer, exceptions);
+
+                    final long analyzerDurationMillis = System.currentTimeMillis() - analyzerStart;
+                    final long analyzerDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(analyzerDurationMillis);
+                    LOGGER.info("Finished {} ({} seconds)", analyzer.getName(), analyzerDurationSeconds);
+                } else {
+                    LOGGER.debug("Skipping {} (not enabled)", analyzer.getName());
                 }
             }
         }
@@ -379,20 +534,134 @@ public class Engine implements FileFilter {
         }
 
         LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------");
-        LOGGER.info("Analysis Complete ({} ms)", System.currentTimeMillis() - analysisStart);
+        final long analysisDurationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - analysisStart);
+        LOGGER.info("Analysis Complete ({} seconds)", analysisDurationSeconds);
+        if (exceptions.size() > 0) {
+            throw new ExceptionCollection("One or more exceptions occurred during dependency-check analysis", exceptions);
+        }
+    }
+
+    /**
+     * Performs any necessary updates and initializes the database.
+     *
+     * @param exceptions a collection to store non-fatal exceptions
+     * @throws ExceptionCollection thrown if fatal exceptions occur
+     */
+    private void initializeAndUpdateDatabase(final List<Throwable> exceptions) throws ExceptionCollection {
+        boolean autoUpdate = true;
+        try {
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            LOGGER.debug("Invalid setting for auto-update; using true.");
+            exceptions.add(ex);
+        }
+        if (autoUpdate) {
+            try {
+                database = CveDB.getInstance();
+                doUpdates();
+            } catch (UpdateException ex) {
+                exceptions.add(ex);
+                LOGGER.warn("Unable to update Cached Web DataSource, using local "
+                        + "data instead. Results may not include recent vulnerabilities.");
+                LOGGER.debug("Update Error", ex);
+            } catch (DatabaseException ex) {
+                throw new ExceptionCollection("Unable to connect to the database", ex);
+            }
+        } else {
+            try {
+                if (ConnectionFactory.isH2Connection() && !ConnectionFactory.h2DataFileExists()) {
+                    throw new ExceptionCollection(new NoDataException("Autoupdate is disabled and the database does not exist"), true);
+                } else {
+                    database = CveDB.getInstance();
+                }
+            } catch (IOException ex) {
+                throw new ExceptionCollection(new DatabaseException("Autoupdate is disabled and unable to connect to the database"), true);
+            } catch (DatabaseException ex) {
+                throwFatalExceptionCollection("Unable to connect to the dependency-check database.", ex, exceptions);
+            }
+        }
+    }
+
+    /**
+     * Executes executes the analyzer using multiple threads.
+     *
+     * @param exceptions a collection of exceptions that occurred during
+     * analysis
+     * @param analyzer the analyzer to execute
+     * @throws ExceptionCollection thrown if exceptions occurred during analysis
+     */
+    protected void executeAnalysisTasks(Analyzer analyzer, List<Throwable> exceptions) throws ExceptionCollection {
+        LOGGER.debug("Starting {}", analyzer.getName());
+        final List<AnalysisTask> analysisTasks = getAnalysisTasks(analyzer, exceptions);
+        final ExecutorService executorService = getExecutorService(analyzer);
+
+        try {
+            final List<Future<Void>> results = executorService.invokeAll(analysisTasks, 10, TimeUnit.MINUTES);
+
+            // ensure there was no exception during execution
+            for (Future<Void> result : results) {
+                try {
+                    result.get();
+                } catch (ExecutionException e) {
+                    throwFatalExceptionCollection("Analysis task failed with a fatal exception.", e, exceptions);
+                } catch (CancellationException e) {
+                    throwFatalExceptionCollection("Analysis task timed out.", e, exceptions);
+                }
+            }
+        } catch (InterruptedException e) {
+            throwFatalExceptionCollection("Analysis has been interrupted.", e, exceptions);
+        } finally {
+            executorService.shutdown();
+        }
+    }
+
+    /**
+     * Returns the analysis tasks for the dependencies.
+     *
+     * @param analyzer the analyzer to create tasks for
+     * @param exceptions the collection of exceptions to collect
+     * @return a collection of analysis tasks
+     */
+    protected List<AnalysisTask> getAnalysisTasks(Analyzer analyzer, List<Throwable> exceptions) {
+        final List<AnalysisTask> result = new ArrayList<>();
+        synchronized (dependencies) {
+            for (final Dependency dependency : dependencies) {
+                final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions, Settings.getInstance());
+                result.add(task);
+            }
+        }
+        return result;
+    }
+
+    /**
+     * Returns the executor service for a given analyzer.
+     *
+     * @param analyzer the analyzer to obtain an executor
+     * @return the executor service
+     */
+    protected ExecutorService getExecutorService(Analyzer analyzer) {
+        if (analyzer.supportsParallelProcessing()) {
+            final int maximumNumberOfThreads = Runtime.getRuntime().availableProcessors();
+            LOGGER.debug("Parallel processing with up to {} threads: {}.", maximumNumberOfThreads, analyzer.getName());
+            return Executors.newFixedThreadPool(maximumNumberOfThreads);
+        } else {
+            LOGGER.debug("Parallel processing is not supported: {}.", analyzer.getName());
+            return Executors.newSingleThreadExecutor();
+        }
     }
 
     /**
      * Initializes the given analyzer.
      *
      * @param analyzer the analyzer to initialize
-     * @return the initialized analyzer
+     * @throws InitializationException thrown when there is a problem
+     * initializing the analyzer
      */
-    protected Analyzer initializeAnalyzer(Analyzer analyzer) {
+    protected void initializeAnalyzer(Analyzer analyzer) throws InitializationException {
         try {
             LOGGER.debug("Initializing {}", analyzer.getName());
             analyzer.initialize();
-        } catch (Throwable ex) {
+        } catch (InitializationException ex) {
             LOGGER.error("Exception occurred initializing {}.", analyzer.getName());
             LOGGER.debug("", ex);
             try {
@@ -400,8 +669,17 @@ public class Engine implements FileFilter {
             } catch (Throwable ex1) {
                 LOGGER.trace("", ex1);
             }
+            throw ex;
+        } catch (Throwable ex) {
+            LOGGER.error("Unexpected exception occurred initializing {}.", analyzer.getName());
+            LOGGER.debug("", ex);
+            try {
+                analyzer.close();
+            } catch (Throwable ex1) {
+                LOGGER.trace("", ex1);
+            }
+            throw new InitializationException("Unexpected Exception", ex);
         }
-        return analyzer;
     }
 
     /**
@@ -419,33 +697,31 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Cycles through the cached web data sources and calls update on all of them.
+     * Cycles through the cached web data sources and calls update on all of
+     * them.
+     *
+     * @throws UpdateException thrown if the operation fails
      */
-    public void doUpdates() {
+    public void doUpdates() throws UpdateException {
         LOGGER.info("Checking for updates");
         final long updateStart = System.currentTimeMillis();
         final UpdateService service = new UpdateService(serviceClassLoader);
         final Iterator<CachedWebDataSource> iterator = service.getDataSources();
         while (iterator.hasNext()) {
             final CachedWebDataSource source = iterator.next();
-            try {
             source.update();
-            } catch (UpdateException ex) {
-                LOGGER.warn(
-                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
-                LOGGER.debug("Unable to update details for {}", source.getClass().getName(), ex);
-            }
         }
         LOGGER.info("Check for updates complete ({} ms)", System.currentTimeMillis() - updateStart);
     }
 
     /**
-     * Returns a full list of all of the analyzers. This is useful for reporting which analyzers where used.
+     * Returns a full list of all of the analyzers. This is useful for reporting
+     * which analyzers where used.
      *
      * @return a list of Analyzers
      */
     public List<Analyzer> getAnalyzers() {
-        final List<Analyzer> ret = new ArrayList<Analyzer>();
+        final List<Analyzer> ret = new ArrayList<>();
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             final List<Analyzer> analyzerList = analyzers.get(phase);
             ret.addAll(analyzerList);
@@ -457,7 +733,8 @@ public class Engine implements FileFilter {
      * Checks all analyzers to see if an extension is supported.
      *
      * @param file a file extension
-     * @return true or false depending on whether or not the file extension is supported
+     * @return true or false depending on whether or not the file extension is
+     * supported
      */
     @Override
     public boolean accept(File file) {
@@ -483,22 +760,40 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
+     * Adds a file type analyzer. This has been added solely to assist in unit
+     * testing the Engine.
+     *
+     * @param fta the file type analyzer to add
+     */
+    protected void addFileTypeAnalyzer(FileTypeAnalyzer fta) {
+        this.fileTypeAnalyzers.add(fta);
+    }
+
+    /**
+     * Checks the CPE Index to ensure documents exists. If none exist a
+     * NoDataException is thrown.
      *
      * @throws NoDataException thrown if no data exists in the CPE Index
-     * @throws DatabaseException thrown if there is an exception opening the database
      */
-    private void ensureDataExists() throws NoDataException, DatabaseException {
-        final CveDB cve = new CveDB();
-        try {
-            cve.open();
-            if (!cve.dataExists()) {
+    private void ensureDataExists() throws NoDataException {
+        if (database == null || !database.dataExists()) {
             throw new NoDataException("No documents exist");
         }
-        } catch (DatabaseException ex) {
-            throw new NoDataException(ex.getMessage(), ex);
-        } finally {
-            cve.close();
     }
+
+    /**
+     * Constructs and throws a fatal exception collection.
+     *
+     * @param message the exception message
+     * @param throwable the cause
+     * @param exceptions a collection of exception to include
+     * @throws ExceptionCollection a collection of exceptions that occurred
+     * during analysis
+     */
+    private void throwFatalExceptionCollection(String message, Throwable throwable, List<Throwable> exceptions) throws ExceptionCollection {
+        LOGGER.error("{}\n\n{}", throwable.getMessage(), message);
+        LOGGER.debug("", throwable);
+        exceptions.add(throwable);
+        throw new ExceptionCollection(message, exceptions, true);
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -27,6 +27,8 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.exception.ScanAgentException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;
@@ -34,10 +36,12 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting evidence
- * from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it takes a list of
- * dependencies that can be programmatically added from data in a spreadsheet, database or some other datasource and conduct a
- * scan based on this pre-defined evidence.
+ * This class provides a way to easily conduct a scan solely based on existing
+ * evidence metadata rather than collecting evidence from the files themselves.
+ * This class is based on the Ant task and Maven plugin with the exception that
+ * it takes a list of dependencies that can be programmatically added from data
+ * in a spreadsheet, database or some other datasource and conduct a scan based
+ * on this pre-defined evidence.
  *
  * <h2>Example:</h2>
  * <pre>
@@ -60,6 +64,7 @@ import org.slf4j.LoggerFactory;
 @SuppressWarnings("unused")
 public class DependencyCheckScanAgent {
 
+    //<editor-fold defaultstate="collapsed" desc="private fields">
     /**
      * System specific new line character.
      */
@@ -72,6 +77,141 @@ public class DependencyCheckScanAgent {
      * The application name for the report.
      */
     private String applicationName = "Dependency-Check";
+    /**
+     * The pre-determined dependencies to scan
+     */
+    private List<Dependency> dependencies;
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+    /**
+     * Specifies the destination directory for the generated Dependency-Check
+     * report.
+     */
+    private String reportOutputDirectory;
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified
+     * level is identified. The default is 11 which means since the CVSS scores
+     * are 0-10, by default the build will never fail and the CVSS score is set
+     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
+     * anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
+     * recommended that this be turned to false. Default is true.
+     */
+    private boolean autoUpdate = true;
+    /**
+     * flag indicating whether or not to generate a report of findings.
+     */
+    private boolean generateReport = true;
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This
+     * configuration option has no affect if using this within the Site plugin
+     * unless the externalReport is set to true. Default is HTML.
+     */
+    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
+    /**
+     * The Proxy Server.
+     */
+    private String proxyServer;
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+    /**
+     * Whether or not the Maven Central analyzer is enabled.
+     */
+    private boolean centralAnalyzerEnabled = true;
+    /**
+     * The URL of Maven Central.
+     */
+    private String centralUrl;
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private boolean nexusAnalyzerEnabled = true;
+    /**
+     * The URL of the Nexus server.
+     */
+    private String nexusUrl;
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private boolean nexusUsesProxy = true;
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a
+     * comma-separated list of file extensions to treat like ZIP files.
+     */
+    private String zipExtensions;
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="getters/setters">
 
     /**
      * Get the value of applicationName.
@@ -91,11 +231,6 @@ public class DependencyCheckScanAgent {
         this.applicationName = applicationName;
     }
 
-    /**
-     * The pre-determined dependencies to scan
-     */
-    private List<Dependency> dependencies;
-
     /**
      * Returns a list of pre-determined dependencies.
      *
@@ -114,11 +249,6 @@ public class DependencyCheckScanAgent {
         this.dependencies = dependencies;
     }
 
-    /**
-     * The location of the data directory that contains
-     */
-    private String dataDirectory = null;
-
     /**
      * Get the value of dataDirectory.
      *
@@ -137,11 +267,6 @@ public class DependencyCheckScanAgent {
         this.dataDirectory = dataDirectory;
     }
 
-    /**
-     * Specifies the destination directory for the generated Dependency-Check report.
-     */
-    private String reportOutputDirectory;
-
     /**
      * Get the value of reportOutputDirectory.
      *
@@ -160,13 +285,6 @@ public class DependencyCheckScanAgent {
         this.reportOutputDirectory = reportOutputDirectory;
     }
 
-    /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
-     * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
-     * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
-     */
-    private float failBuildOnCVSS = 11;
-
     /**
      * Get the value of failBuildOnCVSS.
      *
@@ -185,12 +303,6 @@ public class DependencyCheckScanAgent {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
 
-    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
-     * is true.
-     */
-    private boolean autoUpdate = true;
-
     /**
      * Get the value of autoUpdate.
      *
@@ -209,11 +321,6 @@ public class DependencyCheckScanAgent {
         this.autoUpdate = autoUpdate;
     }
 
-    /**
-     * flag indicating whether or not to generate a report of findings.
-     */
-    private boolean generateReport = true;
-
     /**
      * Get the value of generateReport.
      *
@@ -232,12 +339,6 @@ public class DependencyCheckScanAgent {
         this.generateReport = generateReport;
     }
 
-    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
-     * Site plugin unless the externalReport is set to true. Default is HTML.
-     */
-    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
-
     /**
      * Get the value of reportFormat.
      *
@@ -256,11 +357,6 @@ public class DependencyCheckScanAgent {
         this.reportFormat = reportFormat;
     }
 
-    /**
-     * The Proxy Server.
-     */
-    private String proxyServer;
-
     /**
      * Get the value of proxyServer.
      *
@@ -283,7 +379,9 @@ public class DependencyCheckScanAgent {
      * Get the value of proxyServer.
      *
      * @return the value of proxyServer
-     * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()} instead
+     * @deprecated use
+     * {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()}
+     * instead
      */
     @Deprecated
     public String getProxyUrl() {
@@ -302,11 +400,6 @@ public class DependencyCheckScanAgent {
         this.proxyServer = proxyUrl;
     }
 
-    /**
-     * The Proxy Port.
-     */
-    private String proxyPort;
-
     /**
      * Get the value of proxyPort.
      *
@@ -325,11 +418,6 @@ public class DependencyCheckScanAgent {
         this.proxyPort = proxyPort;
     }
 
-    /**
-     * The Proxy username.
-     */
-    private String proxyUsername;
-
     /**
      * Get the value of proxyUsername.
      *
@@ -348,11 +436,6 @@ public class DependencyCheckScanAgent {
         this.proxyUsername = proxyUsername;
     }
 
-    /**
-     * The Proxy password.
-     */
-    private String proxyPassword;
-
     /**
      * Get the value of proxyPassword.
      *
@@ -371,11 +454,6 @@ public class DependencyCheckScanAgent {
         this.proxyPassword = proxyPassword;
     }
 
-    /**
-     * The Connection Timeout.
-     */
-    private String connectionTimeout;
-
     /**
      * Get the value of connectionTimeout.
      *
@@ -394,11 +472,6 @@ public class DependencyCheckScanAgent {
         this.connectionTimeout = connectionTimeout;
     }
 
-    /**
-     * The file path used for verbose logging.
-     */
-    private String logFile = null;
-
     /**
      * Get the value of logFile.
      *
@@ -417,11 +490,6 @@ public class DependencyCheckScanAgent {
         this.logFile = logFile;
     }
 
-    /**
-     * The path to the suppression file.
-     */
-    private String suppressionFile;
-
     /**
      * Get the value of suppressionFile.
      *
@@ -440,11 +508,6 @@ public class DependencyCheckScanAgent {
         this.suppressionFile = suppressionFile;
     }
 
-    /**
-     * flag indicating whether or not to show a summary of findings.
-     */
-    private boolean showSummary = true;
-
     /**
      * Get the value of showSummary.
      *
@@ -463,11 +526,6 @@ public class DependencyCheckScanAgent {
         this.showSummary = showSummary;
     }
 
-    /**
-     * Whether or not the Maven Central analyzer is enabled.
-     */
-    private boolean centralAnalyzerEnabled = true;
-
     /**
      * Get the value of centralAnalyzerEnabled.
      *
@@ -486,11 +544,6 @@ public class DependencyCheckScanAgent {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
-    /**
-     * The URL of Maven Central.
-     */
-    private String centralUrl;
-
     /**
      * Get the value of centralUrl.
      *
@@ -509,11 +562,6 @@ public class DependencyCheckScanAgent {
         this.centralUrl = centralUrl;
     }
 
-    /**
-     * Whether or not the nexus analyzer is enabled.
-     */
-    private boolean nexusAnalyzerEnabled = true;
-
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
@@ -532,11 +580,6 @@ public class DependencyCheckScanAgent {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
-    /**
-     * The URL of the Nexus server.
-     */
-    private String nexusUrl;
-
     /**
      * Get the value of nexusUrl.
      *
@@ -555,11 +598,6 @@ public class DependencyCheckScanAgent {
         this.nexusUrl = nexusUrl;
     }
 
-    /**
-     * Whether or not the defined proxy should be used when connecting to Nexus.
-     */
-    private boolean nexusUsesProxy = true;
-
     /**
      * Get the value of nexusUsesProxy.
      *
@@ -578,11 +616,6 @@ public class DependencyCheckScanAgent {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
-    /**
-     * The database driver name; such as org.h2.Driver.
-     */
-    private String databaseDriverName;
-
     /**
      * Get the value of databaseDriverName.
      *
@@ -601,11 +634,6 @@ public class DependencyCheckScanAgent {
         this.databaseDriverName = databaseDriverName;
     }
 
-    /**
-     * The path to the database driver JAR file if it is not on the class path.
-     */
-    private String databaseDriverPath;
-
     /**
      * Get the value of databaseDriverPath.
      *
@@ -624,11 +652,6 @@ public class DependencyCheckScanAgent {
         this.databaseDriverPath = databaseDriverPath;
     }
 
-    /**
-     * The database connection string.
-     */
-    private String connectionString;
-
     /**
      * Get the value of connectionString.
      *
@@ -647,11 +670,6 @@ public class DependencyCheckScanAgent {
         this.connectionString = connectionString;
     }
 
-    /**
-     * The user name for connecting to the database.
-     */
-    private String databaseUser;
-
     /**
      * Get the value of databaseUser.
      *
@@ -670,11 +688,6 @@ public class DependencyCheckScanAgent {
         this.databaseUser = databaseUser;
     }
 
-    /**
-     * The password to use when connecting to the database.
-     */
-    private String databasePassword;
-
     /**
      * Get the value of databasePassword.
      *
@@ -693,12 +706,6 @@ public class DependencyCheckScanAgent {
         this.databasePassword = databasePassword;
     }
 
-    /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
-     * files.
-     */
-    private String zipExtensions;
-
     /**
      * Get the value of zipExtensions.
      *
@@ -717,11 +724,6 @@ public class DependencyCheckScanAgent {
         this.zipExtensions = zipExtensions;
     }
 
-    /**
-     * The url for the modified NVD CVE (1.2 schema).
-     */
-    private String cveUrl12Modified;
-
     /**
      * Get the value of cveUrl12Modified.
      *
@@ -740,11 +742,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl12Modified = cveUrl12Modified;
     }
 
-    /**
-     * The url for the modified NVD CVE (2.0 schema).
-     */
-    private String cveUrl20Modified;
-
     /**
      * Get the value of cveUrl20Modified.
      *
@@ -763,11 +760,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl20Modified = cveUrl20Modified;
     }
 
-    /**
-     * Base Data Mirror URL for CVE 1.2.
-     */
-    private String cveUrl12Base;
-
     /**
      * Get the value of cveUrl12Base.
      *
@@ -786,11 +778,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl12Base = cveUrl12Base;
     }
 
-    /**
-     * Data Mirror URL for CVE 2.0.
-     */
-    private String cveUrl20Base;
-
     /**
      * Get the value of cveUrl20Base.
      *
@@ -809,11 +796,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl20Base = cveUrl20Base;
     }
 
-    /**
-     * The path to Mono for .NET assembly analysis on non-windows systems.
-     */
-    private String pathToMono;
-
     /**
      * Get the value of pathToMono.
      *
@@ -831,16 +813,23 @@ public class DependencyCheckScanAgent {
     public void setPathToMono(String pathToMono) {
         this.pathToMono = pathToMono;
     }
+    //</editor-fold>
 
     /**
      * Executes the Dependency-Check on the dependent libraries.
      *
      * @return the Engine used to scan the dependencies.
-     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the database
+     * @throws ExceptionCollection a collection of one or more exceptions that
+     * occurred during analysis.
      */
-    private Engine executeDependencyCheck() throws DatabaseException {
+    private Engine executeDependencyCheck() throws ExceptionCollection {
         populateSettings();
-        final Engine engine = new Engine();
+        final Engine engine;
+        try {
+            engine = new Engine();
+        } catch (DatabaseException ex) {
+            throw new ExceptionCollection(ex, true);
+        }
         engine.setDependencies(this.dependencies);
         engine.analyzeDependencies();
         return engine;
@@ -854,35 +843,25 @@ public class DependencyCheckScanAgent {
      */
     private void generateExternalReports(Engine engine, File outDirectory) {
         DatabaseProperties prop = null;
-        CveDB cve = null;
-        try {
-            cve = new CveDB();
-            cve.open();
+        try (CveDB cve = CveDB.getInstance()) {
             prop = cve.getDatabaseProperties();
         } catch (DatabaseException ex) {
+            //TODO shouldn't this be a fatal exception
             LOGGER.debug("Unable to retrieve DB Properties", ex);
-        } finally {
-            if (cve != null) {
-                cve.close();
-            }
         }
         final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
         try {
             r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
-        } catch (IOException ex) {
-            LOGGER.error(
-                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
-            LOGGER.debug("", ex);
-        } catch (Throwable ex) {
-            LOGGER.error(
-                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
+        } catch (IOException | ReportException ex) {
+            LOGGER.error("Unexpected exception occurred during analysis; please see the verbose error log for more details.");
             LOGGER.debug("", ex);
         }
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
-     * required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy server, port, and connection timeout.
      */
     private void populateSettings() {
         Settings.initialize();
@@ -925,7 +904,8 @@ public class DependencyCheckScanAgent {
      * Executes the dependency-check and generates the report.
      *
      * @return a reference to the engine used to perform the scan.
-     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the scan.
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if
+     * there is an exception executing the scan.
      */
     public Engine execute() throws ScanAgentException {
         Engine engine = null;
@@ -940,10 +920,12 @@ public class DependencyCheckScanAgent {
             if (this.failBuildOnCVSS <= 10) {
                 checkForFailure(engine.getDependencies());
             }
-        } catch (DatabaseException ex) {
-            LOGGER.error(
-                    "Unable to connect to the dependency-check database; analysis has stopped");
+        } catch (ExceptionCollection ex) {
+            if (ex.isFatal()) {
+                LOGGER.error("A fatal exception occurred during analysis; analysis has stopped. Please see the debug log for more details.");
                 LOGGER.debug("", ex);
+            }
+            throw new ScanAgentException("One or more exceptions occurred during analysis; please see the debug log for more details.", ex);
         } finally {
             Settings.cleanup(true);
             if (engine != null) {
@@ -954,11 +936,12 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
-     * configuration.
+     * Checks to see if a vulnerability has been identified with a CVSS score
+     * that is above the threshold set in the configuration.
      *
      * @param dependencies the list of dependency objects
-     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the scan.
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if
+     * there is an exception executing the scan.
      */
     private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
         final StringBuilder ids = new StringBuilder();
@@ -978,7 +961,7 @@ public class DependencyCheckScanAgent {
         }
         if (ids.length() > 0) {
             final String msg = String.format("%n%nDependency-Check Failure:%n"
-                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '%.1f': %s%n"
                     + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
 
             throw new ScanAgentException(msg);
@@ -986,7 +969,8 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     * Generates a warning message listing a summary of dependencies and their
+     * associated CPE and CVE entries.
      *
      * @param dependencies a list of dependency objects
      */
@@ -1023,5 +1007,4 @@ public class DependencyCheckScanAgent {
                     summary.toString());
         }
     }
-
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -17,20 +17,125 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 /**
+ * Base class for analyzers to avoid code duplication of initialize and close as
+ * most analyzers do not need these methods.
  *
  * @author Jeremy Long
  */
 public abstract class AbstractAnalyzer implements Analyzer {
 
     /**
-     * The initialize method does nothing for this Analyzer.
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractAnalyzer.class);
+    /**
+     * A flag indicating whether or not the analyzer is enabled.
+     */
+    private volatile boolean enabled = true;
+
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Set the value of enabled.
+     *
+     * @param enabled new value of enabled
+     */
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    protected abstract String getAnalyzerEnabledSettingKey();
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * Initializes a given Analyzer. This will be skipped if the analyzer is
+     * disabled.
+     *
+     * @throws InitializationException thrown if there is an exception
+     */
+    protected void initializeAnalyzer() throws InitializationException {
+    }
+
+    /**
+     * Closes a given Analyzer. This will be skipped if the analyzer is
+     * disabled.
      *
      * @throws Exception thrown if there is an exception
      */
+    protected void closeAnalyzer() throws Exception {
+        // Intentionally empty, analyzer will override this if they must close a resource.
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
     @Override
-    public void initialize() throws Exception {
-        //do nothing
+    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        if (this.isEnabled()) {
+            analyzeDependency(dependency, engine);
+        }
+    }
+
+    /**
+     * The initialize method does nothing for this Analyzer.
+     *
+     * @throws InitializationException thrown if there is an exception
+     */
+    @Override
+    public final void initialize() throws InitializationException {
+        final String key = getAnalyzerEnabledSettingKey();
+        try {
+            this.setEnabled(Settings.getBoolean(key, true));
+        } catch (InvalidSettingException ex) {
+            LOGGER.warn("Invalid setting for property '{}'", key);
+            LOGGER.debug("", ex);
+        }
+
+        if (isEnabled()) {
+            initializeAnalyzer();
+        } else {
+            LOGGER.debug("{} has been disabled", getName());
+        }
     }
 
     /**
@@ -39,7 +144,19 @@ public abstract class AbstractAnalyzer implements Analyzer {
      * @throws Exception thrown if there is an exception
      */
     @Override
-    public void close() throws Exception {
-        //do nothing
+    public final void close() throws Exception {
+        if (isEnabled()) {
+            closeAnalyzer();
+        }
+    }
+
+    /**
+     * The default is to support parallel processing.
+     *
+     * @return true
+     */
+    @Override
+    public boolean supportsParallelProcessing() {
+        return true;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -17,11 +17,6 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
-import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -30,24 +25,17 @@ import java.io.FileFilter;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
- * The base FileTypeAnalyzer that all analyzers that have specific file types they analyze should extend.
+ * The base FileTypeAnalyzer that all analyzers that have specific file types
+ * they analyze should extend.
  *
  * @author Jeremy Long
  */
 public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
 
-    //<editor-fold defaultstate="collapsed" desc="Constructor">
-    /**
-     * Base constructor that all children must call. This checks the configuration to determine if the analyzer is enabled.
-     */
-    public AbstractFileTypeAnalyzer() {
-        reset();
-    }
-//</editor-fold>
-
-    //<editor-fold defaultstate="collapsed" desc="Field definitions">
+    //<editor-fold defaultstate="collapsed" desc="Field definitions, getters, and setters ">
     /**
      * The logger.
      */
@@ -58,7 +46,8 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
     private boolean filesMatched = false;
 
     /**
-     * Get the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     * Get the value of filesMatched. A flag indicating whether the scan
+     * included any file types this analyzer supports.
      *
      * @return the value of filesMatched
      */
@@ -67,7 +56,8 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
     }
 
     /**
-     * Set the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     * Set the value of filesMatched. A flag indicating whether the scan
+     * included any file types this analyzer supports.
      *
      * @param filesMatched new value of filesMatched
      */
@@ -75,38 +65,34 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
         this.filesMatched = filesMatched;
     }
 
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
     /**
-     * A flag indicating whether or not the analyzer is enabled.
-     */
-    private boolean enabled = true;
-
-    /**
-     * Get the value of enabled.
+     * Initializes the analyzer.
      *
-     * @return the value of enabled
+     * @throws InitializationException thrown if there is an exception during
+     * initialization
      */
-    public boolean isEnabled() {
-        return enabled;
+    @Override
+    protected final void initializeAnalyzer() throws InitializationException {
+        if (filesMatched) {
+            initializeFileTypeAnalyzer();
+        } else {
+            this.setEnabled(false);
+        }
     }
 
-    /**
-     * Set the value of enabled.
-     *
-     * @param enabled new value of enabled
-     */
-    public void setEnabled(boolean enabled) {
-        this.enabled = enabled;
-    }
-//</editor-fold>
-
+    //</editor-fold>
     //<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
     /**
      * <p>
-     * Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
-     * that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
+     * Returns the {@link java.io.FileFilter} used to determine which files are
+     * to be analyzed. An example would be an analyzer that inspected Java jar
+     * files. Implementors may use
+     * {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
      * <p>
-     * If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
-     * loaded.</p>
+     * If the analyzer returns null it will not cause additional files to be
+     * analyzed, but will be executed against every file loaded.</p>
      *
      * @return the file filter used to determine which files are to be analyzed
      */
@@ -115,81 +101,26 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
     /**
      * Initializes the file type analyzer.
      *
-     * @throws Exception thrown if there is an exception during initialization
+     * @throws InitializationException thrown if there is an exception during
+     * initialization
      */
-    protected abstract void initializeFileTypeAnalyzer() throws Exception;
+    protected abstract void initializeFileTypeAnalyzer() throws InitializationException;
 
+    //</editor-fold>
     /**
-     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
-     * and added to the list of dependencies within the engine.
+     * Determines if the file can be analyzed by the analyzer.
      *
-     * @param dependency the dependency to analyze
-     * @param engine the engine scanning
-     * @throws AnalysisException thrown if there is an analysis exception
+     * @param pathname the path to the file
+     * @return true if the file can be analyzed by the given analyzer; otherwise
+     * false
      */
-    protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
-
-    /**
-     * <p>
-     * Returns the setting key to determine if the analyzer is enabled.</p>
-     *
-     * @return the key for the analyzer's enabled property
-     */
-    protected abstract String getAnalyzerEnabledSettingKey();
-
-//</editor-fold>
-    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
-    /**
-     * Initializes the analyzer.
-     *
-     * @throws Exception thrown if there is an exception during initialization
-     */
-    @Override
-    public final void initialize() throws Exception {
-        if (filesMatched) {
-            initializeFileTypeAnalyzer();
-        } else {
-            enabled = false;
-        }
-    }
-
-    /**
-     * Resets the enabled flag on the analyzer.
-     */
-    @Override
-    public final void reset() {
-        final String key = getAnalyzerEnabledSettingKey();
-        try {
-            enabled = Settings.getBoolean(key, true);
-        } catch (InvalidSettingException ex) {
-            LOGGER.warn("Invalid setting for property '{}'", key);
-            LOGGER.debug("", ex);
-            LOGGER.warn("{} has been disabled", getName());
-        }
-    }
-
-    /**
-     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
-     * and added to the list of dependencies within the engine.
-     *
-     * @param dependency the dependency to analyze
-     * @param engine the engine scanning
-     * @throws AnalysisException thrown if there is an analysis exception
-     */
-    @Override
-    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        if (enabled) {
-            analyzeFileType(dependency, engine);
-        }
-    }
-
     @Override
     public boolean accept(File pathname) {
         final FileFilter filter = getFileFilter();
         boolean accepted = false;
         if (null == filter) {
             LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName());
-        } else if (enabled) {
+        } else if (this.isEnabled()) {
             accepted = filter.accept(pathname);
             if (accepted) {
                 filesMatched = true;
@@ -198,12 +129,10 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
         return accepted;
     }
 
-    //</editor-fold>
-    //<editor-fold defaultstate="collapsed" desc="Static utility methods">
     /**
      * <p>
-     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
-     * declaration.</p>
+     * Utility method to help in the creation of the extensions set. This
+     * constructs a new Set that can be used in a final static declaration.</p>
      * <p>
      * This implementation was copied from
      * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
@@ -212,10 +141,8 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * @return a Set of strings.
      */
     protected static Set<String> newHashSet(String... strings) {
-        final Set<String> set = new HashSet<String>(strings.length);
+        final Set<String> set = new HashSet<>(strings.length);
         Collections.addAll(set, strings);
         return set;
     }
-
-//</editor-fold>
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -25,9 +25,10 @@ import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
-import org.owasp.dependencycheck.suppression.SuppressionParseException;
-import org.owasp.dependencycheck.suppression.SuppressionParser;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileUtils;
@@ -63,12 +64,15 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
     /**
      * The initialize method loads the suppression XML file.
      *
-     * @throws Exception thrown if there is an exception
+     * @throws InitializationException thrown if there is an exception
      */
     @Override
-    public void initialize() throws Exception {
-        super.initialize();
+    public void initializeAnalyzer() throws InitializationException {
+        try {
             loadSuppressionData();
+        } catch (SuppressionParseException ex) {
+            throw new InitializationException("Error initializing the suppression analyzer", ex);
+        }
     }
 
     /**
@@ -103,13 +107,10 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
         final SuppressionParser parser = new SuppressionParser();
         File file = null;
         try {
-            rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
-        } catch (SuppressionParseException ex) {
-            LOGGER.error("Unable to parse the base suppression data file");
-            LOGGER.debug("Unable to parse the base suppression data file", ex);
+            final InputStream in = this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml");
+            rules = parser.parseSuppressionRules(in);
         } catch (SAXException ex) {
-            LOGGER.error("Unable to parse the base suppression data file");
-            LOGGER.debug("Unable to parse the base suppression data file", ex);
+            throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
         }
         final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
         if (suppressionFilePath == null) {
@@ -129,8 +130,9 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
                 }
             } else {
                 file = new File(suppressionFilePath);
+
                 if (!file.exists()) {
-                    final InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath);
+                    try (InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath)) {
                         if (suppressionsFromClasspath != null) {
                             deleteTempFile = true;
                             file = FileUtils.getTempFile("suppression", "xml");
@@ -142,16 +144,19 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
                         }
                     }
                 }
-
+            }
             if (file != null) {
+                if (!file.exists()) {
+                    final String msg = String.format("Suppression file '%s' does not exists", file.getPath());
+                    LOGGER.warn(msg);
+                    throw new SuppressionParseException(msg);
+                }
                 try {
-                    //rules = parser.parseSuppressionRules(file);
                     rules.addAll(parser.parseSuppressionRules(file));
                     LOGGER.debug("{} suppression rules were loaded.", rules.size());
                 } catch (SuppressionParseException ex) {
                     LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
                     LOGGER.warn(ex.getMessage());
-                    LOGGER.debug("", ex);
                     throw ex;
                 }
             }
@@ -159,6 +164,8 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
             throwSuppressionParseException("Unable to fetch the configured suppression file", ex);
         } catch (MalformedURLException ex) {
             throwSuppressionParseException("Configured suppression file has an invalid URL", ex);
+        } catch (SuppressionParseException ex) {
+            throw ex;
         } catch (IOException ex) {
             throwSuppressionParseException("Unable to create temp file for suppressions", ex);
         } finally {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -36,6 +36,10 @@ public enum AnalysisPhase {
      * Information collection phase.
      */
     INFORMATION_COLLECTION,
+    /**
+     * Post information collection phase.
+     */
+    POST_INFORMATION_COLLECTION,
     /**
      * Pre identifier analysis phase.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -20,24 +20,28 @@ package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
- * An interface that defines an Analyzer that is used to identify Dependencies. An analyzer will collect information
- * about the dependency in the form of Evidence.
+ * An interface that defines an Analyzer that is used to identify Dependencies.
+ * An analyzer will collect information about the dependency in the form of
+ * Evidence.
  *
  * @author Jeremy Long
  */
 public interface Analyzer {
 
     /**
-     * Analyzes the given dependency. The analysis could be anything from identifying an Identifier for the dependency,
-     * to finding vulnerabilities, etc. Additionally, if the analyzer collects enough information to add a description
-     * or license information for the dependency it should be added.
+     * Analyzes the given dependency. The analysis could be anything from
+     * identifying an Identifier for the dependency, to finding vulnerabilities,
+     * etc. Additionally, if the analyzer collects enough information to add a
+     * description or license information for the dependency it should be added.
      *
      * @param dependency a dependency to analyze.
-     * @param engine the engine that is scanning the dependencies - this is useful if we need to check other
-     * dependencies
-     * @throws AnalysisException is thrown if there is an error analyzing the dependency file
+     * @param engine the engine that is scanning the dependencies - this is
+     * useful if we need to check other dependencies
+     * @throws AnalysisException is thrown if there is an error analyzing the
+     * dependency file
      */
     void analyze(Dependency dependency, Engine engine) throws AnalysisException;
 
@@ -56,16 +60,33 @@ public interface Analyzer {
     AnalysisPhase getAnalysisPhase();
 
     /**
-     * The initialize method is called (once) prior to the analyze method being called on all of the dependencies.
+     * The initialize method is called (once) prior to the analyze method being
+     * called on all of the dependencies.
      *
-     * @throws Exception is thrown if an exception occurs initializing the analyzer.
+     * @throws InitializationException is thrown if an exception occurs
+     * initializing the analyzer.
      */
-    void initialize() throws Exception;
+    void initialize() throws InitializationException;
 
     /**
-     * The close method is called after all of the dependencies have been analyzed.
+     * The close method is called after all of the dependencies have been
+     * analyzed.
      *
      * @throws Exception is thrown if an exception occurs closing the analyzer.
      */
     void close() throws Exception;
+
+    /**
+     * Returns whether multiple instances of the same type of analyzer can run in parallel.
+     * Note that running analyzers of different types in parallel is not supported at all.
+     *
+     * @return {@code true} if the analyzer supports parallel processing, {@code false} else
+     */
+    boolean supportsParallelProcessing();
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    boolean isEnabled();
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -57,13 +57,13 @@ public class AnalyzerService {
      * @return a list of Analyzers.
      */
     public List<Analyzer> getAnalyzers() {
-        final List<Analyzer> analyzers = new ArrayList<Analyzer>();
+        final List<Analyzer> analyzers = new ArrayList<>();
         final Iterator<Analyzer> iterator = service.iterator();
         boolean experimentalEnabled = false;
         try {
             experimentalEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
         } catch (InvalidSettingException ex) {
-            LOGGER.error("invalide experimental setting", ex);
+            LOGGER.error("invalid experimental setting", ex);
         }
         while (iterator.hasNext()) {
             final Analyzer a = iterator.next();

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -18,17 +18,14 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.BufferedInputStream;
-import java.io.Closeable;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
@@ -49,6 +46,7 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
@@ -58,8 +56,8 @@ import org.slf4j.LoggerFactory;
 
 /**
  * <p>
- * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added to the
- * dependency list.</p>
+ * An analyzer that extracts files from archives and ensures any supported files
+ * contained within the archive are added to the dependency list.</p>
  *
  * @author Jeremy Long
  */
@@ -70,7 +68,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ArchiveAnalyzer.class);
     /**
-     * The count of directories created during analysis. This is used for creating temporary directories.
+     * The count of directories created during analysis. This is used for
+     * creating temporary directories.
      */
     private static int dirCount = 0;
     /**
@@ -78,7 +77,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private File tempFileLocation = null;
     /**
-     * The max scan depth that the analyzer will recursively extract nested archives.
+     * The max scan depth that the analyzer will recursively extract nested
+     * archives.
      */
     private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
     /**
@@ -98,43 +98,45 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * The set of things we can handle with Zip methods
      */
-    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
+    private static final Set<String> KNOWN_ZIP_EXT = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
     /**
-     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be
-     * explicitly handled in {@link #extractFiles(File, File, Engine)}.
+     * The set of file extensions supported by this analyzer. Note for
+     * developers, any additions to this list will need to be explicitly handled
+     * in {@link #extractFiles(File, File, Engine)}.
      */
     private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
 
-    /**
-     * Detects files with extensions to remove from the engine's collection of dependencies.
-     */
-    private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2")
-            .build();
-
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
         if (additionalZipExt != null) {
             final String[] ext = additionalZipExt.split("\\s*,\\s*");
-            Collections.addAll(ZIPPABLES, ext);
+            Collections.addAll(KNOWN_ZIP_EXT, ext);
         }
-        EXTENSIONS.addAll(ZIPPABLES);
+        EXTENSIONS.addAll(KNOWN_ZIP_EXT);
     }
 
+    /**
+     * Detects files with extensions to remove from the engine's collection of
+     * dependencies.
+     */
+    private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance()
+            .addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
+
     /**
      * The file filter used to filter supported files.
      */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
 
-    @Override
-    protected FileFilter getFileFilter() {
-        return FILTER;
-    }
-
     /**
      * Detects files with .zip extension.
      */
     private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build();
 
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILTER;
+    }
+
     /**
      * Returns the name of the analyzer.
      *
@@ -157,7 +159,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     //</editor-fold>
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -169,29 +172,39 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * The initialize method does nothing for this Analyzer.
      *
-     * @throws Exception is thrown if there is an exception deleting or creating temporary files
+     * @throws InitializationException is thrown if there is an exception
+     * deleting or creating temporary files
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
+        try {
             final File baseDir = Settings.getTempDirectory();
             tempFileLocation = File.createTempFile("check", "tmp", baseDir);
             if (!tempFileLocation.delete()) {
+                setEnabled(false);
                 final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
+                throw new InitializationException(msg);
             }
             if (!tempFileLocation.mkdirs()) {
+                setEnabled(false);
                 final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
+                throw new InitializationException(msg);
+            }
+        } catch (IOException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create a temporary file", ex);
         }
     }
 
     /**
-     * The close method deletes any temporary files and directories created during analysis.
+     * The close method deletes any temporary files and directories created
+     * during analysis.
      *
-     * @throws Exception thrown if there is an exception deleting temporary files
+     * @throws Exception thrown if there is an exception deleting temporary
+     * files
      */
     @Override
-    public void close() throws Exception {
+    public void closeAnalyzer() throws Exception {
         if (tempFileLocation != null && tempFileLocation.exists()) {
             LOGGER.debug("Attempting to delete temporary files");
             final boolean success = FileUtils.delete(tempFileLocation);
@@ -205,23 +218,40 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
-     * and added to the list of dependencies within the engine.
+     * Does not support parallel processing as it both modifies and iterates
+     * over the engine's list of dependencies.
+     *
+     * @return <code>true</code> if the analyzer supports parallel processing;
+     * otherwise <code>false</code>
+     * @see #analyzeDependency(Dependency, Engine)
+     * @see #findMoreDependencies(Engine, File)
+     */
+    @Override
+    public boolean supportsParallelProcessing() {
+        return false;
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * dependencies within the engine.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine scanning
      * @throws AnalysisException thrown if there is an analysis exception
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         final File f = new File(dependency.getActualFilePath());
         final File tmpDir = getNextTempDirectory();
         extractFiles(f, tmpDir, engine);
 
         //make a copy
-        final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
-        if (!dependencySet.isEmpty()) {
+        final List<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
+
+        if (dependencySet != null && !dependencySet.isEmpty()) {
             for (Dependency d : dependencySet) {
+                if (d.getFilePath().startsWith(tmpDir.getAbsolutePath())) {
                     //fix the dependency's display name and path
                     final String displayPath = String.format("%s%s",
                             dependency.getFilePath(),
@@ -231,6 +261,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                             d.getFileName());
                     d.setFilePath(displayPath);
                     d.setFileName(displayName);
+                    d.setProjectReferences(dependency.getProjectReferences());
 
                     //TODO - can we get more evidence from the parent? EAR contains module name, etc.
                     //analyze the dependency (i.e. extract files) if it is a supported type.
@@ -239,6 +270,20 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                         analyze(d, engine);
                         scanDepth -= 1;
                     }
+                } else {
+                    for (Dependency sub : dependencySet) {
+                        if (sub.getFilePath().startsWith(tmpDir.getAbsolutePath())) {
+                            final String displayPath = String.format("%s%s",
+                                    dependency.getFilePath(),
+                                    sub.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
+                            final String displayName = String.format("%s: %s",
+                                    dependency.getFileName(),
+                                    sub.getFileName());
+                            sub.setFilePath(displayPath);
+                            sub.setFileName(displayName);
+                        }
+                    }
+                }
             }
         }
         if (REMOVE_FROM_ANALYSIS.accept(dependency.getActualFile())) {
@@ -249,7 +294,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * If a zip file was identified as a possible JAR, this method will add the zip to the list of dependencies.
+     * If a zip file was identified as a possible JAR, this method will add the
+     * zip to the list of dependencies.
      *
      * @param dependency the zip file
      * @param engine the engine
@@ -257,34 +303,41 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private void addDisguisedJarsToDependencies(Dependency dependency, Engine engine) throws AnalysisException {
         if (ZIP_FILTER.accept(dependency.getActualFile()) && isZipFileActuallyJarFile(dependency)) {
-            final File tdir = getNextTempDirectory();
+            final File tempDir = getNextTempDirectory();
             final String fileName = dependency.getFileName();
 
             LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName);
-
-            final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
+            final File tmpLoc = new File(tempDir, fileName.substring(0, fileName.length() - 3) + "jar");
+            //store the archives sha1 and change it so that the engine doesn't think the zip and jar file are the same
+            // and add it is a related dependency.
+            final String archiveSha1 = dependency.getSha1sum();
             try {
-                org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
-                final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
-                if (!dependencySet.isEmpty()) {
-                    if (dependencySet.size() != 1) {
-                        LOGGER.info("Deep copy of ZIP to JAR file resulted in more than one dependency?");
-                    }
+                dependency.setSha1sum("");
+                org.apache.commons.io.FileUtils.copyFile(dependency.getActualFile(), tmpLoc);
+                final List<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
+                if (dependencySet != null && !dependencySet.isEmpty()) {
                     for (Dependency d : dependencySet) {
                         //fix the dependency's display name and path
+                        if (d.getActualFile().equals(tmpLoc)) {
                             d.setFilePath(dependency.getFilePath());
                             d.setDisplayFileName(dependency.getFileName());
+                        } else {
+                            for (Dependency sub : d.getRelatedDependencies()) {
+                                if (sub.getActualFile().equals(tmpLoc)) {
+                                    sub.setFilePath(dependency.getFilePath());
+                                    sub.setDisplayFileName(dependency.getFileName());
+                                }
+                            }
+                        }
                     }
                 }
             } catch (IOException ex) {
                 LOGGER.debug("Unable to perform deep copy on '{}'", dependency.getActualFile().getPath(), ex);
+            } finally {
+                dependency.setSha1sum(archiveSha1);
             }
         }
     }
-    /**
-     * An empty dependency set.
-     */
-    private static final Set<Dependency> EMPTY_DEPENDENCY_SET = Collections.emptySet();
 
     /**
      * Scan the given file/folder, and return any new dependencies found.
@@ -293,20 +346,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * @param file target of scanning
      * @return any dependencies that weren't known to the engine before
      */
-    private static Set<Dependency> findMoreDependencies(Engine engine, File file) {
-        final List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies());
-        engine.scan(file);
-        final List<Dependency> after = engine.getDependencies();
-        final boolean sizeChanged = before.size() != after.size();
-        final Set<Dependency> newDependencies;
-        if (sizeChanged) {
-            //get the new dependencies
-            newDependencies = new HashSet<Dependency>(after);
-            newDependencies.removeAll(before);
-        } else {
-            newDependencies = EMPTY_DEPENDENCY_SET;
-        }
-        return newDependencies;
+    private static List<Dependency> findMoreDependencies(Engine engine, File file) {
+        return engine.scan(file);
     }
 
     /**
@@ -339,30 +380,49 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
         if (archive != null && destination != null) {
-            FileInputStream fis;
+            String archiveExt = FileUtils.getFileExtension(archive.getName());
+            if (archiveExt == null) {
+                return;
+            }
+            archiveExt = archiveExt.toLowerCase();
+
+            final FileInputStream fis;
             try {
                 fis = new FileInputStream(archive);
             } catch (FileNotFoundException ex) {
                 LOGGER.debug("", ex);
                 throw new AnalysisException("Archive file was not found.", ex);
             }
-            final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
+            BufferedInputStream in = null;
+            ZipArchiveInputStream zin = null;
+            TarArchiveInputStream tin = null;
+            GzipCompressorInputStream gin = null;
+            BZip2CompressorInputStream bzin = null;
             try {
-                if (ZIPPABLES.contains(archiveExt)) {
-                    extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+                if (KNOWN_ZIP_EXT.contains(archiveExt)) {
+                    in = new BufferedInputStream(fis);
+                    ensureReadableJar(archiveExt, in);
+                    zin = new ZipArchiveInputStream(in);
+                    extractArchive(zin, destination, engine);
                 } else if ("tar".equals(archiveExt)) {
-                    extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+                    in = new BufferedInputStream(fis);
+                    tin = new TarArchiveInputStream(in);
+                    extractArchive(tin, destination, engine);
                 } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
                     final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
                     final File f = new File(destination, uncompressedName);
                     if (engine.accept(f)) {
-                        decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), f);
+                        in = new BufferedInputStream(fis);
+                        gin = new GzipCompressorInputStream(in);
+                        decompressFile(gin, f);
                     }
                 } else if ("bz2".equals(archiveExt) || "tbz2".equals(archiveExt)) {
                     final String uncompressedName = BZip2Utils.getUncompressedFilename(archive.getName());
                     final File f = new File(destination, uncompressedName);
                     if (engine.accept(f)) {
-                        decompressFile(new BZip2CompressorInputStream(new BufferedInputStream(fis)), f);
+                        in = new BufferedInputStream(fis);
+                        bzin = new BZip2CompressorInputStream(in);
+                        decompressFile(bzin, f);
                     }
                 }
             } catch (ArchiveExtractionException ex) {
@@ -372,7 +432,66 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                 LOGGER.warn("Exception reading archive '{}'.", archive.getName());
                 LOGGER.debug("", ex);
             } finally {
-                close(fis);
+                //overly verbose and not needed... but keeping it anyway due to
+                //having issue with file handles being left open
+                FileUtils.close(fis);
+                FileUtils.close(in);
+                FileUtils.close(zin);
+                FileUtils.close(tin);
+                FileUtils.close(gin);
+                FileUtils.close(bzin);
+            }
+        }
+    }
+
+    /**
+     * Checks if the file being scanned is a JAR that begins with '#!/bin' which
+     * indicates it is a fully executable jar. If a fully executable JAR is
+     * identified the input stream will be advanced to the start of the actual
+     * JAR file ( skipping the script).
+     *
+     * @see
+     * <a href="http://docs.spring.io/spring-boot/docs/1.3.0.BUILD-SNAPSHOT/reference/htmlsingle/#deployment-install">Installing
+     * Spring Boot Applications</a>
+     * @param archiveExt the file extension
+     * @param in the input stream
+     * @throws IOException thrown if there is an error reading the stream
+     */
+    private void ensureReadableJar(final String archiveExt, BufferedInputStream in) throws IOException {
+        if ("jar".equals(archiveExt) && in.markSupported()) {
+            in.mark(7);
+            final byte[] b = new byte[7];
+            final int read = in.read(b);
+            if (read == 7
+                    && b[0] == '#'
+                    && b[1] == '!'
+                    && b[2] == '/'
+                    && b[3] == 'b'
+                    && b[4] == 'i'
+                    && b[5] == 'n'
+                    && b[6] == '/') {
+                boolean stillLooking = true;
+                int chr;
+                int nxtChr;
+                while (stillLooking && (chr = in.read()) != -1) {
+                    if (chr == '\n' || chr == '\r') {
+                        in.mark(4);
+                        if ((chr = in.read()) != -1) {
+                            if (chr == 'P' && (chr = in.read()) != -1) {
+                                if (chr == 'K' && (chr = in.read()) != -1) {
+                                    if ((chr == 3 || chr == 5 || chr == 7) && (nxtChr = in.read()) != -1) {
+                                        if (nxtChr == chr + 1) {
+                                            stillLooking = false;
+                                            in.reset();
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            } else {
+                in.reset();
             }
         }
     }
@@ -383,7 +502,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * @param input the archive to extract files from
      * @param destination the location to write the files too
      * @param engine the dependency-check engine
-     * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * extracting files from the archive
      */
     private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
         ArchiveEntry entry;
@@ -399,10 +519,10 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                     extractAcceptedFile(input, file);
                 }
             }
-        } catch (Throwable ex) {
+        } catch (IOException | AnalysisException ex) {
             throw new ArchiveExtractionException(ex);
         } finally {
-            close(input);
+            FileUtils.close(input);
         }
     }
 
@@ -415,14 +535,12 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static void extractAcceptedFile(ArchiveInputStream input, File file) throws AnalysisException {
         LOGGER.debug("Extracting '{}'", file.getPath());
-        FileOutputStream fos = null;
-        try {
         final File parent = file.getParentFile();
         if (!parent.isDirectory() && !parent.mkdirs()) {
             final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
             throw new AnalysisException(msg);
         }
-            fos = new FileOutputStream(file);
+        try (FileOutputStream fos = new FileOutputStream(file)) {
             IOUtils.copy(input, fos);
         } catch (FileNotFoundException ex) {
             LOGGER.debug("", ex);
@@ -432,8 +550,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
             LOGGER.debug("", ex);
             final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
             throw new AnalysisException(msg, ex);
-        } finally {
-            close(fos);
         }
     }
 
@@ -442,37 +558,16 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @param inputStream the compressed file
      * @param outputFile the location to write the decompressed file
-     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * decompressing the file
      */
     private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
         LOGGER.debug("Decompressing '{}'", outputFile.getPath());
-        FileOutputStream out = null;
-        try {
-            out = new FileOutputStream(outputFile);
+        try (FileOutputStream out = new FileOutputStream(outputFile)) {
             IOUtils.copy(inputStream, out);
-        } catch (FileNotFoundException ex) {
-            LOGGER.debug("", ex);
-            throw new ArchiveExtractionException(ex);
         } catch (IOException ex) {
             LOGGER.debug("", ex);
             throw new ArchiveExtractionException(ex);
-        } finally {
-            close(out);
-        }
-    }
-
-    /**
-     * Close the given {@link Closeable} instance, ignoring nulls, and logging any thrown {@link IOException}.
-     *
-     * @param closeable to be closed
-     */
-    private static void close(Closeable closeable) {
-        if (null != closeable) {
-            try {
-                closeable.close();
-            } catch (IOException ex) {
-                LOGGER.trace("", ex);
-            }
         }
     }
 
@@ -506,7 +601,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         } finally {
             ZipFile.closeQuietly(zip);
         }
-
         return isJar;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -37,15 +37,19 @@ import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
 
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 import java.util.ArrayList;
 import java.util.List;
+import javax.xml.parsers.ParserConfigurationException;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.apache.commons.lang3.SystemUtils;
+import org.owasp.dependencycheck.utils.XmlUtils;
 
 /**
- * Analyzer for getting company, product, and version information from a .NET assembly.
+ * Analyzer for getting company, product, and version information from a .NET
+ * assembly.
  *
  * @author colezlaw
  *
@@ -68,10 +72,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      * The temp value for GrokAssembly.exe
      */
     private File grokAssemblyExe = null;
-    /**
-     * The DocumentBuilder for parsing the XML
-     */
-    private DocumentBuilder builder;
     /**
      * Logger
      */
@@ -82,18 +82,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @return the list of arguments to begin populating the ProcessBuilder
      */
-    private List<String> buildArgumentList() {
+    protected List<String> buildArgumentList() {
         // Use file.separator as a wild guess as to whether this is Windows
-        final List<String> args = new ArrayList<String>();
-        if (!"\\".equals(System.getProperty("file.separator"))) {
+        final List<String> args = new ArrayList<>();
+        if (!SystemUtils.IS_OS_WINDOWS) {
             if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
                 args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
-            } else {
+            } else if (isInPath("mono")) {
                 args.add("mono");
+            } else {
+                return null;
             }
         }
         args.add(grokAssemblyExe.getPath());
-
         return args;
     }
 
@@ -105,7 +106,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException if anything goes sideways
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine)
+    public void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         if (grokAssemblyExe == null) {
             LOGGER.warn("GrokAssembly didn't get deployed");
@@ -113,11 +114,16 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         }
 
         final List<String> args = buildArgumentList();
+        if (args == null) {
+            LOGGER.warn("Assembly Analyzer was unable to execute");
+            return;
+        }
         args.add(dependency.getActualFilePath());
         final ProcessBuilder pb = new ProcessBuilder(args);
         Document doc = null;
         try {
             final Process proc = pb.start();
+            final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
 
             doc = builder.parse(proc.getInputStream());
 
@@ -138,7 +144,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                         dependency.getActualFilePath());
                 return;
             } else if (rc != 0) {
-                LOGGER.warn("Return code {} from GrokAssembly", rc);
+                LOGGER.debug("Return code {} from GrokAssembly; dependency-check is unable to analyze the library: {}",
+                        rc, dependency.getActualFilePath());
+                return;
             }
 
             final XPath xpath = XPathFactory.newInstance().newXPath();
@@ -167,84 +175,99 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                         product, Confidence.HIGH));
             }
 
-        } catch (IOException ioe) {
+        } catch (ParserConfigurationException pce) {
+            throw new AnalysisException("Error initializing the assembly analyzer", pce);
+        } catch (IOException | XPathExpressionException ioe) {
             throw new AnalysisException(ioe);
         } catch (SAXException saxe) {
-            throw new AnalysisException("Couldn't parse GrokAssembly result", saxe);
-        } catch (XPathExpressionException xpe) {
-            // This shouldn't happen
-            throw new AnalysisException(xpe);
+            LOGGER.error("----------------------------------------------------");
+            LOGGER.error("Failed to read the Assembly Analyzer results. "
+                    + "On some systems mono-runtime and mono-devel need to be installed.");
+            LOGGER.error("----------------------------------------------------");
+            throw new AnalysisException("Couldn't parse Assembly Analyzer results (GrokAssembly)", saxe);
         }
+        // This shouldn't happen
+
     }
 
     /**
-     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a
+     * temporary location.
      *
-     * @throws Exception if anything goes wrong
+     * @throws InitializationException thrown if anything goes wrong
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
-        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
-        FileOutputStream fos = null;
-        InputStream is = null;
+    public void initializeFileTypeAnalyzer() throws InitializationException {
+        final File tempFile;
+        final String cfg;
         try {
-            fos = new FileOutputStream(tempFile);
-            is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
+            tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
+            cfg = tempFile.getPath() + ".config";
+        } catch (IOException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create temporary file for the assembly analyzer", ex);
+        }
+        try (FileOutputStream fos = new FileOutputStream(tempFile);
+                InputStream is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
+                FileOutputStream fosCfg = new FileOutputStream(cfg);
+                InputStream isCfg = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe.config")) {
             IOUtils.copy(is, fos);
-
             grokAssemblyExe = tempFile;
-            // Set the temp file to get deleted when we're done
-            grokAssemblyExe.deleteOnExit();
             LOGGER.debug("Extracted GrokAssembly.exe to {}", grokAssemblyExe.getPath());
+            IOUtils.copy(isCfg, fosCfg);
+            LOGGER.debug("Extracted GrokAssembly.exe.config to {}", cfg);
         } catch (IOException ioe) {
             this.setEnabled(false);
             LOGGER.warn("Could not extract GrokAssembly.exe: {}", ioe.getMessage());
-            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
-        } finally {
-            if (fos != null) {
-                try {
-                    fos.close();
-                } catch (Throwable e) {
-                    LOGGER.debug("Error closing output stream");
-                }
-            }
-            if (is != null) {
-                try {
-                    is.close();
-                } catch (Throwable e) {
-                    LOGGER.debug("Error closing input stream");
-                }
-            }
+            throw new InitializationException("Could not extract GrokAssembly.exe", ioe);
         }
 
         // Now, need to see if GrokAssembly actually runs from this location.
         final List<String> args = buildArgumentList();
+        //TODO this creates an "unreported" error - if someone doesn't look
+        // at the command output this could easily be missed (especially in an
+        // Ant or Maven build.
+        //
+        // We need to create a non-fatal warning error type that will
+        // get added to the report.
+        //TODO this idea needs to get replicated to the bundle audit analyzer.
+        if (args == null) {
+            setEnabled(false);
+            LOGGER.error("----------------------------------------------------");
+            LOGGER.error(".NET Assembly Analyzer could not be initialized and at least one "
+                    + "'exe' or 'dll' was scanned. The 'mono' executable could not be found on "
+                    + "the path; either disable the Assembly Analyzer or configure the path mono. "
+                    + "On some systems mono-runtime and mono-devel need to be installed.");
+            LOGGER.error("----------------------------------------------------");
+            return;
+        }
         try {
             final ProcessBuilder pb = new ProcessBuilder(args);
             final Process p = pb.start();
             // Try evacuating the error stream
             IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
 
-            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
+            final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
+            final Document doc = builder.parse(p.getInputStream());
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final String error = xpath.evaluate("/assembly/error", doc);
             if (p.waitFor() != 1 || error == null || error.isEmpty()) {
                 LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
                 LOGGER.debug("GrokAssembly.exe is not working properly");
                 grokAssemblyExe = null;
-                this.setEnabled(false);
-                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
+                setEnabled(false);
+                throw new InitializationException("Could not execute .NET AssemblyAnalyzer");
             }
-        } catch (AnalysisException e) {
+        } catch (InitializationException e) {
+            setEnabled(false);
             throw e;
-        } catch (Throwable e) {
+        } catch (IOException | ParserConfigurationException | SAXException | XPathExpressionException | InterruptedException e) {
             LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
                     + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
             LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-            this.setEnabled(false);
-            throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
+            setEnabled(false);
+            throw new InitializationException("An error occurred with the .NET AssemblyAnalyzer", e);
         }
-        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
     }
 
     /**
@@ -253,14 +276,15 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws Exception thrown if there is a problem closing the analyzer
      */
     @Override
-    public void close() throws Exception {
-        super.close();
+    public void closeAnalyzer() throws Exception {
         try {
             if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
+                LOGGER.debug("Unable to delete temporary GrokAssembly.exe; attempting delete on exit");
                 grokAssemblyExe.deleteOnExit();
             }
         } catch (SecurityException se) {
             LOGGER.debug("Can't delete temporary GrokAssembly.exe");
+            grokAssemblyExe.deleteOnExit();
         }
     }
 
@@ -296,7 +320,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -304,4 +329,27 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
     }
+
+    /**
+     * Tests to see if a file is in the system path. <b>Note</b> - the current
+     * implementation only works on non-windows platforms. For purposes of the
+     * AssemblyAnalyzer this is okay as this is only needed on Mac/*nix.
+     *
+     * @param file the executable to look for
+     * @return <code>true</code> if the file exists; otherwise
+     * <code>false</code>
+     */
+    private boolean isInPath(String file) {
+        final ProcessBuilder pb = new ProcessBuilder("which", file);
+        try {
+            final Process proc = pb.start();
+            final int retCode = proc.waitFor();
+            if (retCode == 0) {
+                return true;
+            }
+        } catch (IOException | InterruptedException ex) {
+            LOGGER.debug("Path search failed for " + file, ex);
+        }
+        return false;
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -31,17 +31,18 @@ import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
-import java.util.ArrayList;
-import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
- * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
- * assuming they are generated by Autoconf, and contain certain special package descriptor variables.
+ * Used to analyze Autoconf input files named configure.ac or configure.in.
+ * Files simply named "configure" are also analyzed, assuming they are generated
+ * by Autoconf, and contain certain special package descriptor variables.
  *
  * @author Dale Visser
- * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
+ * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project
+ * - Free Software Foundation (FSF)</a>
  */
 @Experimental
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
@@ -142,7 +143,8 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -152,7 +154,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File actualFile = dependency.getActualFile();
         final String name = actualFile.getName();
@@ -174,11 +176,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
                 }
             }
         } else {
-            // copy, alter and set in case some other thread is iterating over
-            final List<Dependency> dependencies = new ArrayList<Dependency>(
-                    engine.getDependencies());
-            dependencies.remove(dependency);
-            engine.setDependencies(dependencies);
+            engine.getDependencies().remove(dependency);
         }
     }
 
@@ -270,10 +268,11 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Initializes the file type analyzer.
      *
-     * @throws Exception thrown if there is an exception during initialization
+     * @throws InitializationException thrown if there is an exception during
+     * initialization
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
         // No initialization needed.
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -38,14 +38,18 @@ import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
  * <p>
- * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
+ * Used to analyze CMake build files, and collect information that can be used
+ * to determine the associated CPE.</p>
  * <p>
- * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
- * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
- * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
+ * Note: This analyzer catches straightforward invocations of the project
+ * command, plus some other observed patterns of version inclusion in real CMake
+ * projects. Many projects make use of older versions of CMake and/or use custom
+ * "homebrew" ways to insert version information. Hopefully as the newer CMake
+ * call pattern grows in usage, this analyzer allow more CPEs to be
  * identified.</p>
  *
  * @author Dale Visser
@@ -88,24 +92,10 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake")
             .addFilenames("CMakeLists.txt").build();
 
-    /**
-     * A reference to SHA1 message digest.
-     */
-    private static MessageDigest sha1 = null;
-
-    static {
-        try {
-            sha1 = MessageDigest.getInstance("SHA1");
-        } catch (NoSuchAlgorithmException e) {
-            LOGGER.error(e.getMessage());
-        }
-    }
-
     /**
      * Returns the name of the CMake analyzer.
      *
      * @return the name of the analyzer
-     *
      */
     @Override
     public String getName() {
@@ -133,13 +123,19 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * No-op initializer implementation.
+     * Initializes the analyzer.
      *
-     * @throws Exception never thrown
+     * @throws InitializationException thrown if an exception occurs getting an
+     * instance of SHA1
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
-        // Nothing to do here.
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
+        try {
+            getSha1MessageDigest();
+        } catch (IllegalStateException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create SHA1 MessageDigest", ex);
+        }
     }
 
     /**
@@ -147,10 +143,11 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @param dependency the dependency being analyzed
      * @param engine the engine being used to perform the scan
-     * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
+     * @throws AnalysisException thrown if there is an unrecoverable error
+     * analyzing the dependency
      */
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File file = dependency.getActualFile();
         final String parentName = file.getParentFile().getName();
@@ -183,13 +180,17 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Extracts the version information from the contents. If more then one version is found additional dependencies are added to
-     * the dependency list.
+     * Extracts the version information from the contents. If more then one
+     * version is found additional dependencies are added to the dependency
+     * list.
      *
      * @param dependency the dependency being analyzed
      * @param engine the dependency-check engine
      * @param contents the version information
      */
+    @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
+            value = "DM_DEFAULT_ENCODING",
+            justification = "Default encoding is only used if UTF-8 is not available")
     private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
         Dependency currentDep = dependency;
 
@@ -220,6 +221,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                 } catch (UnsupportedEncodingException ex) {
                     path = filePath.getBytes();
                 }
+                final MessageDigest sha1 = getSha1MessageDigest();
                 currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
                 engine.getDependencies().add(currentDep);
             }
@@ -236,4 +238,18 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CMAKE_ENABLED;
     }
+
+    /**
+     * Returns the sha1 message digest.
+     *
+     * @return the sha1 message digest
+     */
+    private MessageDigest getSha1MessageDigest() {
+        try {
+            return MessageDigest.getInstance("SHA1");
+        } catch (NoSuchAlgorithmException e) {
+            LOGGER.error(e.getMessage());
+            throw new IllegalStateException("Failed to obtain the SHA1 message digest.", e);
+        }
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -25,6 +25,8 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.StringTokenizer;
+import java.util.concurrent.TimeUnit;
+import org.apache.commons.lang3.builder.CompareToBuilder;
 import org.apache.lucene.document.Document;
 import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
@@ -45,8 +47,10 @@ import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -57,7 +61,7 @@ import org.slf4j.LoggerFactory;
  *
  * @author Jeremy Long
  */
-public class CPEAnalyzer implements Analyzer {
+public class CPEAnalyzer extends AbstractAnalyzer {
 
     /**
      * The Logger.
@@ -66,26 +70,26 @@ public class CPEAnalyzer implements Analyzer {
     /**
      * The maximum number of query results to return.
      */
-    static final int MAX_QUERY_RESULTS = 25;
+    private static final int MAX_QUERY_RESULTS = 25;
     /**
      * The weighting boost to give terms when constructing the Lucene query.
      */
-    static final String WEIGHTING_BOOST = "^5";
+    private static final String WEIGHTING_BOOST = "^5";
     /**
      * A string representation of a regular expression defining characters
      * utilized within the CPE Names.
      */
-    static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
+    private static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
     /**
      * A string representation of a regular expression used to remove all but
      * alpha characters.
      */
-    static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
+    private static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
     /**
      * The additional size to add to a new StringBuilder to account for extra
      * data that will be written into the string.
      */
-    static final int STRING_BUILDER_BUFFER = 20;
+    private static final int STRING_BUILDER_BUFFER = 20;
     /**
      * The CPE in memory index.
      */
@@ -121,13 +125,32 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Creates the CPE Lucene Index.
+     * The default is to support parallel processing.
      *
-     * @throws Exception is thrown if there is an issue opening the index.
+     * @return false
      */
     @Override
-    public void initialize() throws Exception {
+    public boolean supportsParallelProcessing() {
+        return false;
+    }
+
+    /**
+     * Creates the CPE Lucene Index.
+     *
+     * @throws InitializationException is thrown if there is an issue opening
+     * the index.
+     */
+    @Override
+    public void initializeAnalyzer() throws InitializationException {
+        try {
             this.open();
+        } catch (IOException ex) {
+            LOGGER.debug("Exception initializing the Lucene Index", ex);
+            throw new InitializationException("An exception occurred initializing the Lucene Index", ex);
+        } catch (DatabaseException ex) {
+            LOGGER.debug("Exception accessing the database", ex);
+            throw new InitializationException("An exception occurred accessing the database", ex);
+        }
     }
 
     /**
@@ -140,14 +163,13 @@ public class CPEAnalyzer implements Analyzer {
      */
     public void open() throws IOException, DatabaseException {
         if (!isOpen()) {
-            cve = new CveDB();
-            cve.open();
+            cve = CveDB.getInstance();
             cpe = CpeMemoryIndex.getInstance();
             try {
-                LOGGER.info("Creating the CPE Index");
                 final long creationStart = System.currentTimeMillis();
                 cpe.open(cve);
-                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
+                final long creationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - creationStart);
+                LOGGER.info("Created CPE Index ({} seconds)", creationSeconds);
             } catch (IndexException ex) {
                 LOGGER.debug("IndexException", ex);
                 throw new DatabaseException(ex);
@@ -159,17 +181,22 @@ public class CPEAnalyzer implements Analyzer {
      * Closes the data sources.
      */
     @Override
-    public void close() {
-        if (cpe != null) {
-            cpe.close();
-            cpe = null;
-        }
+    public void closeAnalyzer() {
         if (cve != null) {
             cve.close();
             cve = null;
         }
+        if (cpe != null) {
+            cpe.close();
+            cpe = null;
+        }
     }
 
+    /**
+     * Returns whether or not the analyzer is open.
+     *
+     * @return <code>true</code> if the analyzer is open
+     */
     public boolean isOpen() {
         return cpe != null && cpe.isOpen();
     }
@@ -185,7 +212,7 @@ public class CPEAnalyzer implements Analyzer {
      * @throws ParseException is thrown when the Lucene query cannot be parsed.
      */
     protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
-        //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
+        //TODO test dojo-war against this. we should get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
         String vendors = "";
         String products = "";
         for (Confidence confidence : Confidence.values()) {
@@ -273,7 +300,7 @@ public class CPEAnalyzer implements Analyzer {
     protected List<IndexEntry> searchCPE(String vendor, String product,
             Set<String> vendorWeightings, Set<String> productWeightings) {
 
-        final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+        final List<IndexEntry> ret = new ArrayList<>(MAX_QUERY_RESULTS);
 
         final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
         if (searchString == null) {
@@ -459,7 +486,7 @@ public class CPEAnalyzer implements Analyzer {
             return false;
         }
         final String[] words = text.split("[\\s_-]");
-        final List<String> list = new ArrayList<String>();
+        final List<String> list = new ArrayList<>();
         String tempWord = null;
         for (String word : words) {
             /*
@@ -503,7 +530,7 @@ public class CPEAnalyzer implements Analyzer {
      * dependency.
      */
     @Override
-    public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    protected synchronized void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {
@@ -537,7 +564,7 @@ public class CPEAnalyzer implements Analyzer {
         DependencyVersion bestGuess = new DependencyVersion("-");
         Confidence bestGuessConf = null;
         boolean hasBroadMatch = false;
-        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
+        final List<IdentifierMatch> collected = new ArrayList<>();
 
         //TODO the following algorithm incorrectly identifies things as a lower version
         // if there lower confidence evidence when the current (highest) version number
@@ -564,8 +591,9 @@ public class CPEAnalyzer implements Analyzer {
                         final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                         final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
                         collected.add(match);
-                    } else //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
-                    if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
+
+                        //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
+                    } else if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
                             && evVer.matchesAtLeastThreeLevels(dbVer)) {
                         if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
                             if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
@@ -575,24 +603,25 @@ public class CPEAnalyzer implements Analyzer {
                         }
                     }
                 }
-                if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
-                    if (bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
+                if ((bestGuessConf == null || bestGuessConf.compareTo(conf) > 0)
+                        && bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
                     bestGuess = evVer;
                     bestGuessConf = conf;
                 }
             }
         }
-        }
         final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
         String url = null;
         if (hasBroadMatch) { //if we have a broad match we can add the URL to the best guess.
             final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product);
             url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8"));
         }
-        if (bestGuessConf == null) {
+        if (bestGuessConf
+                == null) {
             bestGuessConf = Confidence.LOW;
         }
         final IdentifierMatch match = new IdentifierMatch("cpe", cpeName, url, IdentifierConfidence.BEST_GUESS, bestGuessConf);
+
         collected.add(match);
 
         Collections.sort(collected);
@@ -615,6 +644,18 @@ public class CPEAnalyzer implements Analyzer {
         return identifierAdded;
     }
 
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_CPE_ENABLED;
+
+    }
+
     /**
      * The confidence whether the identifier is an exact match, or a best guess.
      */
@@ -642,6 +683,19 @@ public class CPEAnalyzer implements Analyzer {
      */
     private static class IdentifierMatch implements Comparable<IdentifierMatch> {
 
+        /**
+         * The confidence in the evidence used to identify this match.
+         */
+        private Confidence evidenceConfidence;
+        /**
+         * The confidence whether this is an exact match, or a best guess.
+         */
+        private IdentifierConfidence confidence;
+        /**
+         * The CPE identifier.
+         */
+        private Identifier identifier;
+
         /**
          * Constructs an IdentifierMatch.
          *
@@ -658,12 +712,8 @@ public class CPEAnalyzer implements Analyzer {
             this.confidence = identifierConfidence;
             this.evidenceConfidence = evidenceConfidence;
         }
-        //<editor-fold defaultstate="collapsed" desc="Property implementations: evidenceConfidence, confidence, identifier">
-        /**
-         * The confidence in the evidence used to identify this match.
-         */
-        private Confidence evidenceConfidence;
 
+        //<editor-fold defaultstate="collapsed" desc="Property implementations: evidenceConfidence, confidence, identifier">
         /**
          * Get the value of evidenceConfidence
          *
@@ -681,10 +731,6 @@ public class CPEAnalyzer implements Analyzer {
         public void setEvidenceConfidence(Confidence evidenceConfidence) {
             this.evidenceConfidence = evidenceConfidence;
         }
-        /**
-         * The confidence whether this is an exact match, or a best guess.
-         */
-        private IdentifierConfidence confidence;
 
         /**
          * Get the value of confidence.
@@ -703,10 +749,6 @@ public class CPEAnalyzer implements Analyzer {
         public void setConfidence(IdentifierConfidence confidence) {
             this.confidence = confidence;
         }
-        /**
-         * The CPE identifier.
-         */
-        private Identifier identifier;
 
         /**
          * Get the value of identifier.
@@ -774,10 +816,7 @@ public class CPEAnalyzer implements Analyzer {
             if (this.confidence != other.confidence) {
                 return false;
             }
-            if (this.identifier != other.identifier && (this.identifier == null || !this.identifier.equals(other.identifier))) {
-                return false;
-            }
-            return true;
+            return !(this.identifier != other.identifier && (this.identifier == null || !this.identifier.equals(other.identifier)));
         }
         //</editor-fold>
 
@@ -790,14 +829,11 @@ public class CPEAnalyzer implements Analyzer {
          */
         @Override
         public int compareTo(IdentifierMatch o) {
-            int conf = this.confidence.compareTo(o.confidence);
-            if (conf == 0) {
-                conf = this.evidenceConfidence.compareTo(o.evidenceConfidence);
-                if (conf == 0) {
-                    conf = identifier.compareTo(o.identifier);
-                }
-            }
-            return conf;
+            return new CompareToBuilder()
+                    .append(confidence, o.confidence)
+                    .append(evidenceConfidence, o.evidenceConfidence)
+                    .append(identifier, o.identifier)
+                    .toComparison();
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java

@@ -33,8 +33,10 @@ import java.io.File;
 import java.io.FileFilter;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
@@ -42,8 +44,8 @@ import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
- * digest.
+ * Analyzer which will attempt to locate a dependency, and the GAV information,
+ * by querying Central for the dependency's SHA-1 digest.
  *
  * @author colezlaw
  */
@@ -70,9 +72,10 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     private static final String SUPPORTED_EXTENSIONS = "jar";
 
     /**
-     * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
+     * The analyzer should be disabled if there are errors, so this is a flag to
+     * determine if such an error has occurred.
      */
-    private boolean errorFlag = false;
+    private volatile boolean errorFlag = false;
 
     /**
      * The searcher itself.
@@ -96,17 +99,18 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Determines if this analyzer is enabled.
      *
-     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
+     * @return <code>true</code> if the analyzer is enabled; otherwise
+     * <code>false</code>
      */
     private boolean checkEnabled() {
-        boolean retval = false;
+        boolean retVal = false;
 
         try {
             if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
                 if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
                         || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
                     LOGGER.debug("Enabling the Central analyzer");
-                    retval = true;
+                    retVal = true;
                 } else {
                     LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                 }
@@ -116,22 +120,27 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (InvalidSettingException ise) {
             LOGGER.warn("Invalid setting. Disabling the Central analyzer");
         }
-        return retval;
+        return retVal;
     }
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
-     * @throws Exception if there's an error during initialization
+     * @throws InitializationException if there's an error during initialization
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
         LOGGER.debug("Initializing Central analyzer");
         LOGGER.debug("Central analyzer enabled: {}", isEnabled());
         if (isEnabled()) {
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
             LOGGER.debug("Central Analyzer URL: {}", searchUrl);
+            try {
                 searcher = new CentralSearch(new URL(searchUrl));
+            } catch (MalformedURLException ex) {
+                setEnabled(false);
+                throw new InitializationException("The configured URL to Maven Central is malformed: " + searchUrl, ex);
+            }
         }
     }
 
@@ -146,7 +155,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to to reference the
+     * analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key.
      */
@@ -183,7 +193,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         if (errorFlag || !isEnabled()) {
             return;
         }
@@ -219,7 +229,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
                         LOGGER.warn("Unable to download pom.xml for {} from Central; "
                                 + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                     } finally {
-                        if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
+                        if (pomFile != null && pomFile.exists() && !FileUtils.deleteQuietly(pomFile)) {
+                            LOGGER.debug("Failed to delete temporary pom file {}", pomFile.toString());
                             pomFile.deleteOnExit();
                         }
                     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java

@@ -0,0 +1,205 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 IBM Corporation. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * This analyzer is used to analyze SWIFT and Objective-C packages by collecting
+ * information from .podspec files. CocoaPods dependency manager see
+ * https://cocoapods.org/.
+ *
+ * @author Bianca Jiang (https://twitter.com/biancajiang)
+ */
+@Experimental
+public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+//    private static final Logger LOGGER = LoggerFactory.getLogger(CocoaPodsAnalyzer.class);
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "CocoaPods Package Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The file name to scan.
+     */
+    public static final String PODSPEC = "podspec";
+    /**
+     * Filter that detects files named "*.podspec".
+     */
+    private static final FileFilter PODSPEC_FILTER = FileFilterBuilder.newInstance().addExtensions(PODSPEC).build();
+
+    /**
+     * The capture group #1 is the block variable. e.g. "Pod::Spec.new do
+     * |spec|"
+     */
+    private static final Pattern PODSPEC_BLOCK_PATTERN = Pattern.compile("Pod::Spec\\.new\\s+?do\\s+?\\|(.+?)\\|");
+
+    /**
+     * Returns the FileFilter
+     *
+     * @return the FileFilter
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return PODSPEC_FILTER;
+    }
+
+    @Override
+    protected void initializeFileTypeAnalyzer() {
+        // NO-OP
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_COCOAPODS_ENABLED;
+    }
+
+    @Override
+    protected void analyzeDependency(Dependency dependency, Engine engine)
+            throws AnalysisException {
+
+        String contents;
+        try {
+            contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
+        } catch (IOException e) {
+            throw new AnalysisException(
+                    "Problem occurred while reading dependency file.", e);
+        }
+        final Matcher matcher = PODSPEC_BLOCK_PATTERN.matcher(contents);
+        if (matcher.find()) {
+            contents = contents.substring(matcher.end());
+            final String blockVariable = matcher.group(1);
+
+            final EvidenceCollection vendor = dependency.getVendorEvidence();
+            final EvidenceCollection product = dependency.getProductEvidence();
+            final EvidenceCollection version = dependency.getVersionEvidence();
+
+            final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
+            if (!name.isEmpty()) {
+                vendor.addEvidence(PODSPEC, "name_project", name, Confidence.HIGHEST);
+            }
+            addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.HIGHEST);
+
+            addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
+            addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
+            addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
+
+            addStringEvidence(version, contents, blockVariable, "version", "version", Confidence.HIGHEST);
+        }
+
+        setPackagePath(dependency);
+    }
+
+    /**
+     * Extracts evidence from the contents and adds it to the given evidence
+     * collection.
+     *
+     * @param evidences the evidence collection to update
+     * @param contents the text to extract evidence from
+     * @param blockVariable the block variable within the content to search for
+     * @param field the name of the field being searched for
+     * @param fieldPattern the field pattern within the contents to search for
+     * @param confidence the confidence level of the evidence if found
+     * @return the string that was added as evidence
+     */
+    private String addStringEvidence(EvidenceCollection evidences, String contents,
+            String blockVariable, String field, String fieldPattern, Confidence confidence) {
+        String value = "";
+
+        //capture array value between [ ]
+        final Matcher arrayMatcher = Pattern.compile(
+                String.format("\\s*?%s\\.%s\\s*?=\\s*?\\{\\s*?(.*?)\\s*?\\}", blockVariable, fieldPattern),
+                Pattern.CASE_INSENSITIVE).matcher(contents);
+        if (arrayMatcher.find()) {
+            value = arrayMatcher.group(1);
+        } else { //capture single value between quotes
+            final Matcher matcher = Pattern.compile(
+                    String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern),
+                    Pattern.CASE_INSENSITIVE).matcher(contents);
+            if (matcher.find()) {
+                value = matcher.group(2);
+            }
+        }
+        if (value.length() > 0) {
+            evidences.addEvidence(PODSPEC, field, value, confidence);
+        }
+        return value;
+    }
+
+    /**
+     * Sets the package path on the given dependency.
+     *
+     * @param dep the dependency to update
+     */
+    private void setPackagePath(Dependency dep) {
+        final File file = new File(dep.getFilePath());
+        final String parent = file.getParent();
+        if (parent != null) {
+            dep.setPackagePath(parent);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -24,6 +24,7 @@ import org.owasp.dependencycheck.data.composer.ComposerException;
 import org.owasp.dependencycheck.data.composer.ComposerLockParser;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
@@ -32,9 +33,10 @@ import org.slf4j.LoggerFactory;
 
 import java.io.FileFilter;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
+import java.io.IOException;
 import java.nio.charset.Charset;
 import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 
 /**
  * Used to analyze a composer.lock file for a composer PHP app.
@@ -77,17 +79,18 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Initializes the analyzer.
      *
-     * @throws Exception thrown if an exception occurs getting an instance of SHA1
+     * @throws InitializationException thrown if an exception occurs getting an
+     * instance of SHA1
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
-        sha1 = MessageDigest.getInstance("SHA1");
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
+        try {
+            getSha1MessageDigest();
+        } catch (IllegalStateException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create SHA1 MessageDigest", ex);
+        }
     }
-
-    /**
-     * The MessageDigest for calculating a new digest for the new dependencies added.
-     */
-    private MessageDigest sha1 = null;
 
     /**
      * Entry point for the analyzer.
@@ -97,10 +100,8 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException if there's a failure during analysis
      */
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        FileInputStream fis = null;
-        try {
-            fis = new FileInputStream(dependency.getActualFile());
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        try (FileInputStream fis = new FileInputStream(dependency.getActualFile())) {
             final ComposerLockParser clp = new ComposerLockParser(fis);
             LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
             clp.process();
@@ -108,6 +109,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
                 final Dependency d = new Dependency(dependency.getActualFile());
                 d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
                 final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
+                final MessageDigest sha1 = getSha1MessageDigest();
                 d.setFilePath(filePath);
                 d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
                 d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
@@ -116,18 +118,10 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
                 LOGGER.info("Adding dependency {}", d);
                 engine.getDependencies().add(d);
             }
-        } catch (FileNotFoundException fnfe) {
+        } catch (IOException ex) {
             LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());
         } catch (ComposerException ce) {
             LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce);
-        } finally {
-            if (fis != null) {
-                try {
-                    fis.close();
-                } catch (Exception e) {
-                    LOGGER.debug("Unable to close file", e);
-                }
-            }
         }
     }
 
@@ -160,4 +154,18 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.INFORMATION_COLLECTION;
     }
+
+    /**
+     * Returns the sha1 message digest.
+     *
+     * @return the sha1 message digest
+     */
+    private MessageDigest getSha1MessageDigest() {
+        try {
+            return MessageDigest.getInstance("SHA1");
+        } catch (NoSuchAlgorithmException e) {
+            LOGGER.error(e.getMessage());
+            throw new IllegalStateException("Failed to obtain the SHA1 message digest.", e);
+        }
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java

@@ -20,7 +20,8 @@ package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 
 /**
  * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
@@ -62,7 +63,7 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
     //</editor-fold>
 
     @Override
-    public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
 
         if (getRules() == null || getRules().size() <= 0) {
             return;
@@ -72,4 +73,15 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
             rule.process(dependency);
         }
     }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_CPE_SUPPRESSION_ENABLED;
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -30,6 +30,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -46,7 +47,7 @@ import org.slf4j.LoggerFactory;
  *
  * @author Jeremy Long
  */
-public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class DependencyBundlingAnalyzer extends AbstractAnalyzer {
 
     /**
      * The Logger.
@@ -58,10 +59,23 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * A pattern for obtaining the first part of a filename.
      */
     private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
+
     /**
      * a flag indicating if this analyzer has run. This analyzer only runs once.
      */
     private boolean analyzed = false;
+
+    /**
+     * Returns a flag indicating if this analyzer has run. This analyzer only
+     * runs once. Note this is currently only used in the unit tests.
+     *
+     * @return a flag indicating if this analyzer has run. This analyzer only
+     * runs once
+     */
+    protected synchronized boolean getAnalyzed() {
+        return analyzed;
+    }
+
     //</editor-fold>
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
@@ -71,7 +85,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     /**
      * The phase that this analyzer is intended to run in.
      */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.FINAL;
 
     /**
      * Returns the name of the analyzer.
@@ -94,6 +108,29 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
     //</editor-fold>
 
+    /**
+     * Does not support parallel processing as it only runs once and then
+     * operates on <em>all</em> dependencies.
+     *
+     * @return whether or not parallel processing is enabled
+     * @see #analyze(Dependency, Engine)
+     */
+    @Override
+    public boolean supportsParallelProcessing() {
+        return false;
+    }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_DEPENDENCY_BUNDLING_ENABLED;
+    }
+
     /**
      * Analyzes a set of dependencies. If they have been found to have the same
      * base path and the same set of identifiers they are likely related. The
@@ -105,10 +142,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * file.
      */
     @Override
-    public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
+    protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException {
         if (!analyzed) {
             analyzed = true;
-            final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
+            final Set<Dependency> dependenciesToRemove = new HashSet<>();
             final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
             //for (Dependency nextDependency : engine.getDependencies()) {
             while (mainIterator.hasNext()) {
@@ -117,7 +154,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                     final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                     while (subIterator.hasNext()) {
                         final Dependency nextDependency = subIterator.next();
-                        if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath())
+                        if (hashesMatch(dependency, nextDependency)) {
+                            if (!containedInWar(dependency.getFilePath())
                                     && !containedInWar(nextDependency.getFilePath())) {
                                 if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
                                     mergeDependencies(dependency, nextDependency, dependenciesToRemove);
@@ -125,6 +163,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                                     mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                     break; //since we merged into the next dependency - skip forward to the next in mainIterator
                                 }
+                            }
                         } else if (isShadedJar(dependency, nextDependency)) {
                             if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
@@ -136,6 +175,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                             }
                         } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                 && hasSameBasePath(dependency, nextDependency)
+                                && vulnCountMatches(dependency, nextDependency)
                                 && fileNameMatch(dependency, nextDependency)) {
                             if (isCore(dependency, nextDependency)) {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
@@ -143,14 +183,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                 break; //since we merged into the next dependency - skip forward to the next in mainIterator
                             }
-                        } else if (isSameRubyGem(dependency, nextDependency)) {
-                            final Dependency main = getMainGemspecDependency(dependency, nextDependency);
-                            if (main == dependency) {
-                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
-                            } else {
-                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
-                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
-                            }
                         }
                     }
                 }
@@ -192,7 +224,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * @return a string representing the base path.
      */
     private String getBaseRepoPath(final String path) {
-        int pos = path.indexOf("repository" + File.separator) + 11;
+        int pos;
+        if (path.contains("local-repo")) {
+            pos = path.indexOf("local-repo" + File.separator) + 11;
+        } else {
+            pos = path.indexOf("repository" + File.separator) + 11;
+        }
         if (pos < 0) {
             return path;
         }
@@ -285,6 +322,19 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         return matches;
     }
 
+    /**
+     * Returns true if the two dependencies have the same vulnerability count.
+     *
+     * @param dependency1 a dependency2 to compare
+     * @param dependency2 a dependency2 to compare
+     * @return true if the two dependencies have the same vulnerability count
+     */
+    private boolean vulnCountMatches(Dependency dependency1, Dependency dependency2) {
+        return dependency1.getVulnerabilities() != null && dependency2.getVulnerabilities() != null
+                && dependency1.getVulnerabilities().size() == dependency2.getVulnerabilities().size();
+
+    }
+
     /**
      * Determines if the two dependencies have the same base path.
      *
@@ -302,11 +352,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         String right = rFile.getParent();
         if (left == null) {
             return right == null;
+        } else if (right == null) {
+            return false;
         }
         if (left.equalsIgnoreCase(right)) {
             return true;
         }
-        if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
+
+        if (left.matches(".*[/\\\\](repository|local-repo)[/\\\\].*") && right.matches(".*[/\\\\](repository|local-repo)[/\\\\].*")) {
             left = getBaseRepoPath(left);
             right = getBaseRepoPath(right);
         }
@@ -322,60 +375,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         return false;
     }
 
-    /**
-     * Bundling Ruby gems that are identified from different .gemspec files but
-     * denote the same package path. This happens when Ruby bundler installs an
-     * application's dependencies by running "bundle install".
-     *
-     * @param dependency1 dependency to compare
-     * @param dependency2 dependency to compare
-     * @return true if the the dependencies being analyzed appear to be the
-     * same; otherwise false
-     */
-    private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
-        if (dependency1 == null || dependency2 == null
-                || !dependency1.getFileName().endsWith(".gemspec")
-                || !dependency2.getFileName().endsWith(".gemspec")
-                || dependency1.getPackagePath() == null
-                || dependency2.getPackagePath() == null) {
-            return false;
-        }
-        if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) {
-            return true;
-        }
-
-        return false;
-    }
-
-    /**
-     * Ruby gems installed by "bundle install" can have zero or more *.gemspec
-     * files, all of which have the same packagePath and should be grouped. If
-     * one of these gemspec is from <parent>/specifications/*.gemspec, because
-     * it is a stub with fully resolved gem meta-data created by Ruby bundler,
-     * this dependency should be the main one. Otherwise, use dependency2 as
-     * main.
-     *
-     * This method returns null if any dependency is not from *.gemspec, or the
-     * two do not have the same packagePath. In this case, they should not be
-     * grouped.
-     *
-     * @param dependency1 dependency to compare
-     * @param dependency2 dependency to compare
-     * @return the main dependency; or null if a gemspec is not included in the
-     * analysis
-     */
-    private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) {
-        if (isSameRubyGem(dependency1, dependency2)) {
-            final File lFile = dependency1.getActualFile();
-            final File left = lFile.getParentFile();
-            if (left != null && left.getName().equalsIgnoreCase("specifications")) {
-                return dependency1;
-            }
-            return dependency2;
-        }
-        return null;
-    }
-
     /**
      * This is likely a very broken attempt at determining if the 'left'
      * dependency is the 'core' library in comparison to the 'right' library.
@@ -385,7 +384,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * @return a boolean indicating whether or not the left dependency should be
      * considered the "core" version.
      */
-    boolean isCore(Dependency left, Dependency right) {
+    protected boolean isCore(Dependency left, Dependency right) {
         final String leftName = left.getFileName().toLowerCase();
         final String rightName = right.getFileName().toLowerCase();
 
@@ -398,10 +397,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                 || !rightName.contains("core") && leftName.contains("core")
                 || !rightName.contains("kernel") && leftName.contains("kernel")) {
             returnVal = true;
-//        } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) {
-//            returnVal = true;
-//        } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) {
-//            returnVal = false;
         } else {
             /*
              * considered splitting the names up and comparing the components,
@@ -464,6 +459,9 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * <code>false</code>
      */
     protected boolean firstPathIsShortest(String left, String right) {
+        if (left.contains("dctemp")) {
+            return false;
+        }
         final String leftPath = left.replace('\\', '/');
         final String rightPath = right.replace('\\', '/');
 
@@ -501,6 +499,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * @return true if the path contains '.war\' or '.ear\'.
      */
     private boolean containedInWar(String filePath) {
-        return filePath == null ? false : filePath.matches(".*\\.(ear|war)[\\\\/].*");
+        return filePath != null && filePath.matches(".*\\.(ear|war)[\\\\/].*");
     }
+
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java

@@ -0,0 +1,283 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.ListIterator;
+import java.util.Set;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * <p>
+ * This analyzer will merge dependencies, created from different source, into a
+ * single dependency.</p>
+ *
+ * @author Jeremy Long
+ */
+public class DependencyMergingAnalyzer extends AbstractAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(DependencyMergingAnalyzer.class);
+    /**
+     * a flag indicating if this analyzer has run. This analyzer only runs once.
+     */
+    private boolean analyzed = false;
+
+    /**
+     * Returns a flag indicating if this analyzer has run. This analyzer only
+     * runs once. Note this is currently only used in the unit tests.
+     *
+     * @return a flag indicating if this analyzer has run. This analyzer only
+     * runs once
+     */
+    protected synchronized boolean getAnalyzed() {
+        return analyzed;
+    }
+
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Dependency Merging Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Does not support parallel processing as it only runs once and then
+     * operates on <em>all</em> dependencies.
+     *
+     * @return whether or not parallel processing is enabled
+     * @see #analyze(Dependency, Engine)
+     */
+    @Override
+    public boolean supportsParallelProcessing() {
+        return false;
+    }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_DEPENDENCY_MERGING_ENABLED;
+    }
+    //</editor-fold>
+
+    /**
+     * Analyzes a set of dependencies. If they have been found to be the same
+     * dependency created by more multiple FileTypeAnalyzers (i.e. a gemspec
+     * dependency and a dependency from the Bundle Audit Analyzer. The
+     * dependencies are then merged into a single reportable item.
+     *
+     * @param ignore this analyzer ignores the dependency being analyzed
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
+     */
+    @Override
+    protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException {
+        if (!analyzed) {
+            analyzed = true;
+            final Set<Dependency> dependenciesToRemove = new HashSet<>();
+            final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
+            //for (Dependency nextDependency : engine.getDependencies()) {
+            while (mainIterator.hasNext()) {
+                final Dependency dependency = mainIterator.next();
+                if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
+                    final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
+                    while (subIterator.hasNext()) {
+                        final Dependency nextDependency = subIterator.next();
+                        Dependency main;
+                        if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) {
+                            if (main == dependency) {
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                            } else {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
+                            }
+                        } else if ((main = getMainSwiftDependency(dependency, nextDependency)) != null) {
+                            if (main == dependency) {
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                            } else {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
+                            }
+                        }
+                    }
+                }
+            }
+            //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
+            // was difficult because of the inner iterator.
+            engine.getDependencies().removeAll(dependenciesToRemove);
+        }
+    }
+
+    /**
+     * Adds the relatedDependency to the dependency's related dependencies.
+     *
+     * @param dependency the main dependency
+     * @param relatedDependency a collection of dependencies to be removed from
+     * the main analysis loop, this is the source of dependencies to remove
+     * @param dependenciesToRemove a collection of dependencies that will be
+     * removed from the main analysis loop, this function adds to this
+     * collection
+     */
+    private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
+        LOGGER.debug("Merging '{}' into '{}'", relatedDependency.getFilePath(), dependency.getFilePath());
+        dependency.addRelatedDependency(relatedDependency);
+        dependency.getVendorEvidence().getEvidence().addAll(relatedDependency.getVendorEvidence().getEvidence());
+        dependency.getProductEvidence().getEvidence().addAll(relatedDependency.getProductEvidence().getEvidence());
+        dependency.getVersionEvidence().getEvidence().addAll(relatedDependency.getVersionEvidence().getEvidence());
+
+        final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
+        while (i.hasNext()) {
+            dependency.addRelatedDependency(i.next());
+            i.remove();
+        }
+        if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
+            dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
+        }
+        dependenciesToRemove.add(relatedDependency);
+    }
+
+    /**
+     * Bundling Ruby gems that are identified from different .gemspec files but
+     * denote the same package path. This happens when Ruby bundler installs an
+     * application's dependencies by running "bundle install".
+     *
+     * @param dependency1 dependency to compare
+     * @param dependency2 dependency to compare
+     * @return true if the the dependencies being analyzed appear to be the
+     * same; otherwise false
+     */
+    private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency2 == null
+                || !dependency1.getFileName().endsWith(".gemspec")
+                || !dependency2.getFileName().endsWith(".gemspec")
+                || dependency1.getPackagePath() == null
+                || dependency2.getPackagePath() == null) {
+            return false;
+        }
+        return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath());
+    }
+
+    /**
+     * Ruby gems installed by "bundle install" can have zero or more *.gemspec
+     * files, all of which have the same packagePath and should be grouped. If
+     * one of these gemspec is from <parent>/specifications/*.gemspec, because
+     * it is a stub with fully resolved gem meta-data created by Ruby bundler,
+     * this dependency should be the main one. Otherwise, use dependency2 as
+     * main.
+     *
+     * This method returns null if any dependency is not from *.gemspec, or the
+     * two do not have the same packagePath. In this case, they should not be
+     * grouped.
+     *
+     * @param dependency1 dependency to compare
+     * @param dependency2 dependency to compare
+     * @return the main dependency; or null if a gemspec is not included in the
+     * analysis
+     */
+    private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) {
+        if (isSameRubyGem(dependency1, dependency2)) {
+            final File lFile = dependency1.getActualFile();
+            final File left = lFile.getParentFile();
+            if (left != null && left.getName().equalsIgnoreCase("specifications")) {
+                return dependency1;
+            }
+            return dependency2;
+        }
+        return null;
+    }
+
+    /**
+     * Bundling same swift dependencies with the same packagePath but identified
+     * by different file type analyzers.
+     *
+     * @param dependency1 dependency to test
+     * @param dependency2 dependency to test
+     * @return <code>true</code> if the dependencies appear to be the same;
+     * otherwise <code>false</code>
+     */
+    private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency2 == null
+                || (!dependency1.getFileName().endsWith(".podspec")
+                && !dependency1.getFileName().equals("Package.swift"))
+                || (!dependency2.getFileName().endsWith(".podspec")
+                && !dependency2.getFileName().equals("Package.swift"))
+                || dependency1.getPackagePath() == null
+                || dependency2.getPackagePath() == null) {
+            return false;
+        }
+        return dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath());
+    }
+
+    /**
+     * Determines which of the swift dependencies should be considered the
+     * primary.
+     *
+     * @param dependency1 the first swift dependency to compare
+     * @param dependency2 the second swift dependency to compare
+     * @return the primary swift dependency
+     */
+    private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
+        if (isSameSwiftPackage(dependency1, dependency2)) {
+            if (dependency1.getFileName().endsWith(".podspec")) {
+                return dependency1;
+            }
+            return dependency2;
+        }
+        return null;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -34,11 +34,13 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
+ * This analyzer attempts to remove some well known false positives -
+ * specifically regarding the java runtime.
  *
  * @author Jeremy Long
  */
@@ -83,17 +85,30 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_FALSE_POSITIVE_ENABLED;
+    }
     //</editor-fold>
 
     /**
-     * Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
+     * Analyzes the dependencies and removes bad/incorrect CPE associations
+     * based on various heuristics.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         removeJreEntries(dependency);
         removeBadMatches(dependency);
         removeBadSpringMatches(dependency);
@@ -106,13 +121,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     /**
      * Removes inaccurate matches on springframework CPEs.
      *
-     * @param dependency the dependency to test for and remove known inaccurate CPE matches
+     * @param dependency the dependency to test for and remove known inaccurate
+     * CPE matches
      */
     private void removeBadSpringMatches(Dependency dependency) {
         String mustContain = null;
         for (Identifier i : dependency.getIdentifiers()) {
-            if ("maven".contains(i.getType())) {
-                if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
+            if ("maven".contains(i.getType())
+                    && i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
                 final int endPoint = i.getValue().indexOf(':', 19);
                 if (endPoint >= 0) {
                     mustContain = i.getValue().substring(19, endPoint).toLowerCase();
@@ -120,8 +136,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                 }
             }
         }
-        }
-        if (mustContain != null) {
+        if (mustContain
+                != null) {
             final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
             while (itr.hasNext()) {
                 final Identifier i = itr.next();
@@ -138,7 +154,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
     /**
      * <p>
-     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
+     * Intended to remove spurious CPE entries. By spurious we mean duplicate,
+     * less specific CPE entries.</p>
      * <p>
      * Example:</p>
      * <code>
@@ -156,7 +173,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     @SuppressWarnings("null")
     private void removeSpuriousCPE(Dependency dependency) {
-        final List<Identifier> ids = new ArrayList<Identifier>(dependency.getIdentifiers());
+        final List<Identifier> ids = new ArrayList<>(dependency.getIdentifiers());
         Collections.sort(ids);
         final ListIterator<Identifier> mainItr = ids.listIterator();
         while (mainItr.hasNext()) {
@@ -189,8 +206,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                             if (nextVersion.startsWith(currentVersion) || "-".equals(currentVersion)) {
                                 dependency.getIdentifiers().remove(currentId);
                             }
-                        } else {
-                            if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
+                        } else if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
                             dependency.getIdentifiers().remove(nextId);
                         }
                     }
@@ -198,9 +214,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
             }
         }
     }
-    }
     /**
-     * Regex to identify core java libraries and a few other commonly misidentified ones.
+     * Regex to identify core java libraries and a few other commonly
+     * misidentified ones.
      */
     public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
             + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
@@ -215,12 +231,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
     /**
-     * Regex to identify core jsf java library files. This is currently incomplete.
+     * Regex to identify core jsf java library files. This is currently
+     * incomplete.
      */
     public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
 
     /**
-     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
+     * Removes any CPE entries for the JDK/JRE unless the filename ends with
+     * rt.jar
      *
      * @param dependency the dependency to remove JRE CPEs from
      */
@@ -264,8 +282,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific problems
-     * identified when testing this on a LARGE volume of jar files.
+     * Removes bad CPE matches for a dependency. Unfortunately, right now these
+     * are hard-coded patches for specific problems identified when testing this
+     * on a LARGE volume of jar files.
      *
      * @param dependency the dependency to analyze
      */
@@ -340,7 +359,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
+     * Removes CPE matches for the wrong version of a dependency. Currently,
+     * this only covers Axis 1 & 2.
      *
      * @param dependency the dependency to analyze
      */
@@ -373,8 +393,10 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and changes in
-     * product names, that based on given evidence we can add the related CPE entries to ensure a complete list of CVE entries.
+     * There are some known CPE entries, specifically regarding sun and oracle
+     * products due to the acquisition and changes in product names, that based
+     * on given evidence we can add the related CPE entries to ensure a complete
+     * list of CVE entries.
      *
      * @param dependency the dependency being analyzed
      */
@@ -411,19 +433,21 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM entries or
-     * other types of files (such as DLLs and EXEs) being contained within the JAR.
+     * Removes duplicate entries identified that are contained within JAR files.
+     * These occasionally crop up due to POM entries or other types of files
+     * (such as DLLs and EXEs) being contained within the JAR.
      *
      * @param dependency the dependency that might be a duplicate
      * @param engine the engine used to scan all dependencies
      */
-    private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
+    private synchronized void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
         if (dependency.getFileName().toLowerCase().endsWith("pom.xml")
                 || DLL_EXE_FILTER.accept(dependency.getActualFile())) {
             String parentPath = dependency.getFilePath().toLowerCase();
             if (parentPath.contains(".jar")) {
                 parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4);
-                final Dependency parent = findDependency(parentPath, engine.getDependencies());
+                final List<Dependency> dependencies = engine.getDependencies();
+                final Dependency parent = findDependency(parentPath, dependencies);
                 if (parent != null) {
                     boolean remove = false;
                     for (Identifier i : dependency.getIdentifiers()) {
@@ -440,16 +464,16 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                         }
                     }
                     if (remove) {
-                        engine.getDependencies().remove(dependency);
+                        dependencies.remove(dependency);
                     }
                 }
             }
-
         }
     }
 
     /**
-     * Retrieves a given dependency, based on a given path, from a list of dependencies.
+     * Retrieves a given dependency, based on a given path, from a list of
+     * dependencies.
      *
      * @param dependencyPath the path of the dependency to return
      * @param dependencies the collection of dependencies to search
@@ -465,7 +489,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Takes a full CPE and returns the CPE trimmed to include only vendor and product.
+     * Takes a full CPE and returns the CPE trimmed to include only vendor and
+     * product.
      *
      * @param value the CPE value to trim
      * @return a CPE value that only includes the vendor and product

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -27,6 +27,7 @@ import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
@@ -34,7 +35,7 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
  *
  * @author Jeremy Long
  */
-public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class FileNameAnalyzer extends AbstractAnalyzer {
 
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
@@ -65,16 +66,27 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_FILE_NAME_ENABLED;
+    }
     //</editor-fold>
 
     /**
      * Python init files
      */
+    //CSOFF: WhitespaceAfter
     private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
         "__init__.py",
         "__init__.pyc",
-        "__init__.pyo",
-    });
+        "__init__.pyo",});
+    //CSON: WhitespaceAfter
 
     /**
      * Collects information about the file name.
@@ -85,7 +97,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
      * file.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
 
         //strip any path information that may get added by ArchiveAnalyzer, etc.
         final File f = dependency.getActualFile();
@@ -93,26 +105,27 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
         //add version evidence
         final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
+        final String packageName = DependencyVersionUtil.parsePreVersion(fileName);
         if (version != null) {
             // If the version number is just a number like 2 or 23, reduce the confidence
             // a shade. This should hopefully correct for cases like log4j.jar or
             // struts2-core.jar
             if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
-                dependency.getVersionEvidence().addEvidence("file", "name",
+                dependency.getVersionEvidence().addEvidence("file", "version",
                         version.toString(), Confidence.MEDIUM);
             } else {
                 dependency.getVersionEvidence().addEvidence("file", "version",
                         version.toString(), Confidence.HIGHEST);
             }
             dependency.getVersionEvidence().addEvidence("file", "name",
-                    fileName, Confidence.MEDIUM);
+                    packageName, Confidence.MEDIUM);
         }
 
         if (!IGNORED_FILES.accept(f)) {
             dependency.getProductEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGH);
+                    packageName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGH);
+                    packageName, Confidence.HIGH);
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java

@@ -26,8 +26,4 @@ import java.io.FileFilter;
  */
 public interface FileTypeAnalyzer extends Analyzer, FileFilter {
 
-    /**
-     * Resets the analyzers state.
-     */
-    void reset();
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -17,21 +17,54 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Set;
+import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.xml.suppression.PropertyType;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.xml.hints.VendorDuplicatingHintRule;
+import org.owasp.dependencycheck.xml.hints.HintParseException;
+import org.owasp.dependencycheck.xml.hints.HintParser;
+import org.owasp.dependencycheck.xml.hints.HintRule;
+import org.owasp.dependencycheck.xml.hints.Hints;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.SAXException;
 
 /**
+ * This analyzer adds evidence to dependencies to enhance the accuracy of
+ * library identification.
  *
  * @author Jeremy Long
  */
-public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class HintAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The Logger for use throughout the class
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(HintAnalyzer.class);
+    /**
+     * The name of the hint rule file
+     */
+    private static final String HINT_RULE_FILE_NAME = "dependencycheck-base-hint.xml";
+    /**
+     * The collection of hints.
+     */
+    private Hints hints;
 
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
@@ -62,115 +95,192 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_HINT_ENABLED;
+    }
+
+    /**
+     * The initialize method does nothing for this Analyzer.
+     *
+     * @throws InitializationException thrown if there is an exception
+     */
+    @Override
+    public void initializeAnalyzer() throws InitializationException {
+        try {
+            loadHintRules();
+        } catch (HintParseException ex) {
+            LOGGER.debug("Unable to parse hint file", ex);
+            throw new InitializationException("Unable to parse the hint file", ex);
+        }
+    }
     //</editor-fold>
 
     /**
-     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of identifiers
-     * or vulnerabilities.
+     * The HintAnalyzer uses knowledge about a dependency to add additional
+     * information to help in identification of identifiers or vulnerabilities.
      *
      * @param dependency The dependency being analyzed
      * @param engine The scanning engine
-     * @throws AnalysisException is thrown if there is an exception analyzing the dependency.
+     * @throws AnalysisException is thrown if there is an exception analyzing
+     * the dependency.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        final Evidence springTest1 = new Evidence("Manifest",
-                "Implementation-Title",
-                "Spring Framework",
-                Confidence.HIGH);
-
-        final Evidence springTest2 = new Evidence("Manifest",
-                "Implementation-Title",
-                "org.springframework.core",
-                Confidence.HIGH);
-
-        final Evidence springTest3 = new Evidence("Manifest",
-                "Implementation-Title",
-                "spring-core",
-                Confidence.HIGH);
-
-        final Evidence springTest4 = new Evidence("jar",
-                "package name",
-                "springframework",
-                Confidence.LOW);
-
-        final Evidence springSecurityTest1 = new Evidence("Manifest",
-                "Bundle-Name",
-                "Spring Security Core",
-                Confidence.MEDIUM);
-
-        final Evidence springSecurityTest2 = new Evidence("pom",
-                "artifactid",
-                "spring-security-core",
-                Confidence.HIGH);
-
-        final Evidence symfony = new Evidence("composer.lock",
-            "vendor",
-            "symfony",
-            Confidence.HIGHEST);
-
-        final Evidence zendframeworkVendor = new Evidence("composer.lock",
-            "vendor",
-            "zendframework",
-            Confidence.HIGHEST);
-
-        final Evidence zendframeworkProduct = new Evidence("composer.lock",
-            "product",
-            "zendframework",
-            Confidence.HIGHEST);
-
-        //springsource/vware problem
-        final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
-        final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
-
-        if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
-                || (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        for (HintRule hint : hints.getHintRules()) {
+            boolean matchFound = false;
+            for (Evidence given : hint.getGivenVendor()) {
+                if (dependency.getVendorEvidence().getEvidence().contains(given)) {
+                    matchFound = true;
+                    break;
+                }
+            }
+            if (!matchFound) {
+                for (Evidence given : hint.getGivenProduct()) {
+                    if (dependency.getProductEvidence().getEvidence().contains(given)) {
+                        matchFound = true;
+                        break;
+                    }
+                }
+            }
+            if (!matchFound) {
+                for (Evidence given : hint.getGivenVersion()) {
+                    if (dependency.getVersionEvidence().getEvidence().contains(given)) {
+                        matchFound = true;
+                        break;
+                    }
+                }
+            }
+            if (!matchFound) {
+                for (PropertyType pt : hint.getFilenames()) {
+                    if (pt.matches(dependency.getFileName())) {
+                        matchFound = true;
+                        break;
+                    }
+                }
+            }
+            if (matchFound) {
+                for (Evidence e : hint.getAddVendor()) {
+                    dependency.getVendorEvidence().addEvidence(e);
+                }
+                for (Evidence e : hint.getAddProduct()) {
+                    dependency.getProductEvidence().addEvidence(e);
+                }
+                for (Evidence e : hint.getAddVersion()) {
+                    dependency.getVersionEvidence().addEvidence(e);
+                }
+                for (Evidence e : hint.getRemoveVendor()) {
+                    if (dependency.getVendorEvidence().getEvidence().contains(e)) {
+                        dependency.getVendorEvidence().getEvidence().remove(e);
+                    }
+                }
+                for (Evidence e : hint.getRemoveProduct()) {
+                    if (dependency.getProductEvidence().getEvidence().contains(e)) {
+                        dependency.getProductEvidence().getEvidence().remove(e);
+                    }
+                }
+                for (Evidence e : hint.getRemoveVersion()) {
+                    if (dependency.getVersionEvidence().getEvidence().contains(e)) {
+                        dependency.getVersionEvidence().getEvidence().remove(e);
+                    }
+                }
+            }
         }
 
-        if (vendor.contains(springTest4)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
-        }
-
-        if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
-        }
-
-        if (vendor.contains(symfony)) {
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
-        }
-
-        if (vendor.contains(zendframeworkVendor)) {
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
-        }
-
-        if (product.contains(zendframeworkProduct)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
-        }
-
-        //sun/oracle problem
         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
-        final List<Evidence> newEntries = new ArrayList<Evidence>();
+        final List<Evidence> newEntries = new ArrayList<>();
         while (itr.hasNext()) {
             final Evidence e = itr.next();
-            if ("sun".equalsIgnoreCase(e.getValue(false))) {
-                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "oracle", e.getConfidence());
-                newEntries.add(newEvidence);
-            } else if ("oracle".equalsIgnoreCase(e.getValue(false))) {
-                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "sun", e.getConfidence());
-                newEntries.add(newEvidence);
+            for (VendorDuplicatingHintRule dhr : hints.getVendorDuplicatingHintRules()) {
+                if (dhr.getValue().equalsIgnoreCase(e.getValue(false))) {
+                    newEntries.add(new Evidence(e.getSource() + " (hint)",
+                            e.getName(), dhr.getDuplicate(), e.getConfidence()));
+                }
             }
         }
         for (Evidence e : newEntries) {
             dependency.getVendorEvidence().addEvidence(e);
         }
+    }
 
+    /**
+     * Loads the hint rules file.
+     *
+     * @throws HintParseException thrown if the XML cannot be parsed.
+     */
+    private void loadHintRules() throws HintParseException {
+        final HintParser parser = new HintParser();
+        File file = null;
+        try {
+            hints = parser.parseHints(this.getClass().getClassLoader().getResourceAsStream(HINT_RULE_FILE_NAME));
+        } catch (HintParseException | SAXException ex) {
+            LOGGER.error("Unable to parse the base hint data file");
+            LOGGER.debug("Unable to parse the base hint data file", ex);
+        }
+        final String filePath = Settings.getString(Settings.KEYS.HINTS_FILE);
+        if (filePath == null) {
+            return;
+        }
+        boolean deleteTempFile = false;
+        try {
+            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
+            if (uriRx.matcher(filePath).matches()) {
+                deleteTempFile = true;
+                file = FileUtils.getTempFile("hint", "xml");
+                final URL url = new URL(filePath);
+                try {
+                    Downloader.fetchFile(url, file, false);
+                } catch (DownloadFailedException ex) {
+                    Downloader.fetchFile(url, file, true);
+                }
+            } else {
+                file = new File(filePath);
+                if (!file.exists()) {
+                    try (InputStream fromClasspath = this.getClass().getClassLoader().getResourceAsStream(filePath)) {
+                        if (fromClasspath != null) {
+                            deleteTempFile = true;
+                            file = FileUtils.getTempFile("hint", "xml");
+                            try {
+                                org.apache.commons.io.FileUtils.copyInputStreamToFile(fromClasspath, file);
+                            } catch (IOException ex) {
+                                throw new HintParseException("Unable to locate hints file in classpath", ex);
+                            }
+                        }
+                    }
+                }
+            }
+
+            if (file != null) {
+                try {
+                    final Hints newHints = parser.parseHints(file);
+                    hints.getHintRules().addAll(newHints.getHintRules());
+                    hints.getVendorDuplicatingHintRules().addAll(newHints.getVendorDuplicatingHintRules());
+                    LOGGER.debug("{} hint rules were loaded.", hints.getHintRules().size());
+                    LOGGER.debug("{} duplicating hint rules were loaded.", hints.getVendorDuplicatingHintRules().size());
+                } catch (HintParseException ex) {
+                    LOGGER.warn("Unable to parse hint rule xml file '{}'", file.getPath());
+                    LOGGER.warn(ex.getMessage());
+                    LOGGER.debug("", ex);
+                    throw ex;
+                }
+            }
+        } catch (DownloadFailedException ex) {
+            throw new HintParseException("Unable to fetch the configured hint file", ex);
+        } catch (MalformedURLException ex) {
+            throw new HintParseException("Configured hint file has an invalid URL", ex);
+        } catch (IOException ex) {
+            throw new HintParseException("Unable to create temp file for hints", ex);
+        } finally {
+            if (deleteTempFile && file != null) {
+                FileUtils.delete(file);
+            }
+        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -23,10 +23,10 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.io.OutputStream;
 import java.io.Reader;
+import java.io.UnsupportedEncodingException;
 import java.util.ArrayList;
-import java.util.Collections;
+import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.List;
@@ -35,6 +35,7 @@ import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.Set;
 import java.util.StringTokenizer;
+import java.util.concurrent.atomic.AtomicInteger;
 import java.util.jar.Attributes;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
@@ -43,12 +44,14 @@ import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import org.apache.commons.compress.utils.IOUtils;
 import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.jsoup.Jsoup;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.xml.pom.License;
 import org.owasp.dependencycheck.xml.pom.PomUtils;
@@ -75,7 +78,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * The count of directories created during analysis. This is used for
      * creating temporary directories.
      */
-    private static int dirCount = 0;
+    private static final AtomicInteger DIR_COUNT = new AtomicInteger(0);
     /**
      * The system independent newline character.
      */
@@ -147,15 +150,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * A pattern to detect HTML within text.
      */
     private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
-
-    //</editor-fold>
-    /**
-     * Constructs a new JarAnalyzer.
-     */
-    public JarAnalyzer() {
-    }
-
-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The name of the analyzer.
      */
@@ -174,6 +168,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
 
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * Returns the FileFilter.
      *
@@ -226,7 +222,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * file.
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             final List<ClassNameInformation> classNames = collectClassNames(dependency);
             final String fileName = dependency.getFileName().toLowerCase();
@@ -242,7 +238,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             final boolean addPackagesAsEvidence = !(hasManifest && hasPOM);
             analyzePackageNames(classNames, dependency, addPackagesAsEvidence);
         } catch (IOException ex) {
-            throw new AnalysisException("Exception occurred reading the JAR file.", ex);
+            throw new AnalysisException("Exception occurred reading the JAR file (" + dependency.getFileName() + ").", ex);
         }
     }
 
@@ -259,49 +255,41 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @return whether or not evidence was added to the dependency
      */
     protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
-        boolean foundSomething = false;
-        final JarFile jar;
-        try {
-            jar = new JarFile(dependency.getActualFilePath());
-        } catch (IOException ex) {
-            LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath());
-            LOGGER.trace("", ex);
-            return false;
+        try (JarFile jar = new JarFile(dependency.getActualFilePath())) {
+            final List<String> pomEntries = retrievePomListing(jar);
+            if (pomEntries != null && pomEntries.size() <= 1) {
+                String path;
+                File pomFile;
+                Properties pomProperties = null;
+                if (pomEntries.size() == 1) {
+                    path = pomEntries.get(0);
+                    pomFile = extractPom(path, jar);
+                    pomProperties = retrievePomProperties(path, jar);
+                } else {
+                    path = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
+                    pomFile = new File(path);
                 }
-        List<String> pomEntries;
-        try {
-            pomEntries = retrievePomListing(jar);
-        } catch (IOException ex) {
-            LOGGER.warn("Unable to read Jar file entries in '{}'.", dependency.getActualFilePath());
-            LOGGER.trace("", ex);
-            return false;
+                if (pomFile.isFile()) {
+                    final Model pom = PomUtils.readPom(pomFile);
+                    if (pom != null && pomProperties != null) {
+                        pom.processProperties(pomProperties);
                     }
-        File externalPom = null;
-        if (pomEntries.isEmpty()) {
-            final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
-            externalPom = new File(pomPath);
-            if (externalPom.isFile()) {
-                pomEntries.add(pomPath);
+                    return pom != null && setPomEvidence(dependency, pom, classes);
                 } else {
                     return false;
                 }
             }
+
+            //reported possible null dereference on pomEntries is on a non-feasible path
             for (String path : pomEntries) {
+                //TODO - one of these is likely the pom for the main JAR we are analyzing
                 LOGGER.debug("Reading pom entry: {}", path);
-            Properties pomProperties = null;
                 try {
-                if (externalPom == null) {
-                    pomProperties = retrievePomProperties(path, jar);
-                }
-            } catch (IOException ex) {
-                LOGGER.trace("ignore this, failed reading a non-existent pom.properties", ex);
-            }
-            Model pom = null;
-            try {
-                if (pomEntries.size() > 1) {
                     //extract POM to its own directory and add it as its own dependency
-                    final Dependency newDependency = new Dependency();
-                    pom = extractPom(path, jar, newDependency);
+                    final Properties pomProperties = retrievePomProperties(path, jar);
+                    final File pomFile = extractPom(path, jar);
+                    final Model pom = PomUtils.readPom(pomFile);
+                    pom.processProperties(pomProperties);
 
                     final String displayPath = String.format("%s%s%s",
                             dependency.getFilePath(),
@@ -311,28 +299,22 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                             dependency.getFileName(),
                             File.separator,
                             path);
-
+                    final Dependency newDependency = new Dependency();
+                    newDependency.setActualFilePath(pomFile.getAbsolutePath());
                     newDependency.setFileName(displayName);
                     newDependency.setFilePath(displayPath);
-                    pom.processProperties(pomProperties);
                     setPomEvidence(newDependency, pom, null);
                     engine.getDependencies().add(newDependency);
-                    Collections.sort(engine.getDependencies());
-                } else {
-                    if (externalPom == null) {
-                        pom = PomUtils.readPom(path, jar);
-                    } else {
-                        pom = PomUtils.readPom(externalPom);
-                    }
-                    pom.processProperties(pomProperties);
-                    foundSomething |= setPomEvidence(dependency, pom, classes);
-                }
                 } catch (AnalysisException ex) {
                     LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
                     LOGGER.trace("", ex);
                 }
             }
-        return foundSomething;
+        } catch (IOException ex) {
+            LOGGER.warn("Unable to read JarFile '{}'.", dependency.getActualFilePath());
+            LOGGER.trace("", ex);
+        }
+        return false;
     }
 
     /**
@@ -342,28 +324,20 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param path the path to the pom.xml within the JarFile
      * @param jar the JarFile to load the pom.properties from
      * @return a Properties object or null if no pom.properties was found
-     * @throws IOException thrown if there is an exception reading the
-     * pom.properties
      */
-    private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
+    private Properties retrievePomProperties(String path, final JarFile jar) {
         Properties pomProperties = null;
         final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
         final ZipEntry propEntry = jar.getEntry(propPath);
         if (propEntry != null) {
-            Reader reader = null;
-            try {
-                reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
+            try (Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8")) {
                 pomProperties = new Properties();
                 pomProperties.load(reader);
                 LOGGER.debug("Read pom.properties: {}", propPath);
-            } finally {
-                if (reader != null) {
-                    try {
-                        reader.close();
+            } catch (UnsupportedEncodingException ex) {
+                LOGGER.trace("UTF-8 is not supported", ex);
             } catch (IOException ex) {
-                        LOGGER.trace("close error", ex);
-                    }
-                }
+                LOGGER.trace("Unable to read the POM properties", ex);
             }
         }
         return pomProperties;
@@ -378,7 +352,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws IOException thrown if there is an exception reading a JarEntry
      */
     private List<String> retrievePomListing(final JarFile jar) throws IOException {
-        final List<String> pomEntries = new ArrayList<String>();
+        final List<String> pomEntries = new ArrayList<>();
         final Enumeration<JarEntry> entries = jar.entries();
         while (entries.hasMoreElements()) {
             final JarEntry entry = entries.nextElement();
@@ -392,64 +366,29 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Retrieves the specified POM from a jar file and converts it to a Model.
+     * Retrieves the specified POM from a jar.
      *
      * @param path the path to the pom.xml file within the jar file
      * @param jar the jar file to extract the pom from
-     * @param dependency the dependency being analyzed
-     * @return returns the POM object
+     * @return returns the POM file
      * @throws AnalysisException is thrown if there is an exception extracting
-     * or parsing the POM {@link org.owasp.dependencycheck.xml.pom.Model} object
+     * the file
      */
-    private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException {
-        InputStream input = null;
-        FileOutputStream fos = null;
+    private File extractPom(String path, JarFile jar) throws AnalysisException {
         final File tmpDir = getNextTempDirectory();
         final File file = new File(tmpDir, "pom.xml");
-        try {
         final ZipEntry entry = jar.getEntry(path);
-            input = jar.getInputStream(entry);
-            fos = new FileOutputStream(file);
+        if (entry == null) {
+            throw new AnalysisException(String.format("Pom (%s) does not exist in %s", path, jar.getName()));
+        }
+        try (InputStream input = jar.getInputStream(entry);
+                FileOutputStream fos = new FileOutputStream(file)) {
             IOUtils.copy(input, fos);
-            dependency.setActualFilePath(file.getAbsolutePath());
         } catch (IOException ex) {
-            LOGGER.warn("An error occurred reading '{}' from '{}'.", path, dependency.getFilePath());
+            LOGGER.warn("An error occurred reading '{}' from '{}'.", path, jar.getName());
             LOGGER.error("", ex);
-        } finally {
-            closeStream(fos);
-            closeStream(input);
-        }
-        return PomUtils.readPom(file);
-    }
-
-    /**
-     * Silently closes an input stream ignoring errors.
-     *
-     * @param stream an input stream to close
-     */
-    private void closeStream(InputStream stream) {
-        if (stream != null) {
-            try {
-                stream.close();
-            } catch (IOException ex) {
-                LOGGER.trace("", ex);
-            }
-        }
-    }
-
-    /**
-     * Silently closes an output stream ignoring errors.
-     *
-     * @param stream an output stream to close
-     */
-    private void closeStream(OutputStream stream) {
-        if (stream != null) {
-            try {
-                stream.close();
-            } catch (IOException ex) {
-                LOGGER.trace("", ex);
-            }
         }
+        return file;
     }
 
     /**
@@ -463,11 +402,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * otherwise false
      */
     public static boolean setPomEvidence(Dependency dependency, Model pom, List<ClassNameInformation> classes) {
+        if (pom == null) {
+            return false;
+        }
         boolean foundSomething = false;
         boolean addAsIdentifier = true;
-        if (pom == null) {
-            return foundSomething;
-        }
         String groupid = pom.getGroupId();
         String parentGroupId = pom.getParentGroupId();
         String artifactid = pom.getArtifactId();
@@ -486,7 +425,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
 
         final String originalGroupID = groupid;
-        if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
+        if (groupid != null && (groupid.startsWith("org.") || groupid.startsWith("com."))) {
             groupid = groupid.substring(4);
         }
 
@@ -495,7 +434,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
 
         final String originalArtifactID = artifactid;
-        if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
+        if (artifactid != null && (artifactid.startsWith("org.") || artifactid.startsWith("com."))) {
             artifactid = artifactid.substring(4);
         }
 
@@ -557,6 +496,12 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             addMatchingValues(classes, org, dependency.getVendorEvidence());
             addMatchingValues(classes, org, dependency.getProductEvidence());
         }
+        // org name
+        final String orgUrl = pom.getOrganizationUrl();
+        if (orgUrl != null && !orgUrl.isEmpty()) {
+            dependency.getVendorEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.MEDIUM);
+            dependency.getProductEvidence().addEvidence("pom", "organization url", orgUrl, Confidence.LOW);
+        }
         //pom name
         final String pomName = pom.getName();
         if (pomName
@@ -599,8 +544,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      */
     protected void analyzePackageNames(List<ClassNameInformation> classNames,
             Dependency dependency, boolean addPackagesAsEvidence) {
-        final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
-        final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> vendorIdentifiers = new HashMap<>();
+        final Map<String, Integer> productIdentifiers = new HashMap<>();
         analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
 
         final int classCount = classNames.size();
@@ -644,13 +589,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @return whether evidence was identified parsing the manifest
      * @throws IOException if there is an issue reading the JAR file
      */
-    protected boolean parseManifest(Dependency dependency,
-            List<ClassNameInformation> classInformation)
+    protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation)
             throws IOException {
         boolean foundSomething = false;
-        JarFile jar = null;
-        try {
-            jar = new JarFile(dependency.getActualFilePath());
+        try (JarFile jar = new JarFile(dependency.getActualFilePath())) {
             final Manifest manifest = jar.getManifest();
             if (manifest == null) {
                 if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
@@ -665,7 +607,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
             final EvidenceCollection productEvidence = dependency.getProductEvidence();
             final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
-
             String source = "Manifest";
             String specificationVersion = null;
             boolean hasImplementationVersion = false;
@@ -687,7 +628,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     foundSomething = true;
                     versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
                 } else if ("specification-version".equalsIgnoreCase(key)) {
-                    specificationVersion = key;
+                    specificationVersion = value;
                 } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
                     foundSomething = true;
                     vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
@@ -706,17 +647,12 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     addMatchingValues(classInformation, value, productEvidence);
 //                //the following caused false positives.
 //                } else if (key.equalsIgnoreCase(BUNDLE_VENDOR)) {
-//                    foundSomething = true;
-//                    vendorEvidence.addEvidence(source, key, value, Confidence.HIGH);
-//                    addMatchingValues(classInformation, value, vendorEvidence);
                 } else if (key.equalsIgnoreCase(BUNDLE_VERSION)) {
                     foundSomething = true;
                     versionEvidence.addEvidence(source, key, value, Confidence.HIGH);
                 } else if (key.equalsIgnoreCase(Attributes.Name.MAIN_CLASS.toString())) {
                     continue;
-                    //skipping main class as if this has important information to add
-                    // it will be added during class name analysis...  if other fields
-                    // have the information from the class name then they will get added...
+                    //skipping main class as if this has important information to add it will be added during class name analysis...
                 } else {
                     key = key.toLowerCase();
                     if (!IGNORE_KEYS.contains(key)
@@ -737,11 +673,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                             }
                         } else if ("build-id".equals(key)) {
                             int pos = value.indexOf('(');
-                            if (pos >= 0) {
+                            if (pos > 0) {
                                 value = value.substring(0, pos - 1);
                             }
                             pos = value.indexOf('[');
-                            if (pos >= 0) {
+                            if (pos > 0) {
                                 value = value.substring(0, pos - 1);
                             }
                             versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
@@ -782,7 +718,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     }
                 }
             }
-
             for (Map.Entry<String, Attributes> item : manifest.getEntries().entrySet()) {
                 final String name = item.getKey();
                 source = "manifest: " + name;
@@ -812,10 +747,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                 foundSomething = true;
                 versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
             }
-        } finally {
-            if (jar != null) {
-                jar.close();
-            }
         }
         return foundSomething;
     }
@@ -903,20 +834,27 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Initializes the JarAnalyzer.
      *
-     * @throws Exception is thrown if there is an exception creating a temporary
-     * directory
+     * @throws InitializationException is thrown if there is an exception
+     * creating a temporary directory
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
+        try {
             final File baseDir = Settings.getTempDirectory();
             tempFileLocation = File.createTempFile("check", "tmp", baseDir);
             if (!tempFileLocation.delete()) {
                 final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
+                setEnabled(false);
+                throw new InitializationException(msg);
             }
             if (!tempFileLocation.mkdirs()) {
                 final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
+                setEnabled(false);
+                throw new InitializationException(msg);
+            }
+        } catch (IOException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create a temporary file", ex);
         }
     }
 
@@ -924,15 +862,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * Deletes any files extracted from the JAR during analysis.
      */
     @Override
-    public void close() {
+    public void closeAnalyzer() {
         if (tempFileLocation != null && tempFileLocation.exists()) {
             LOGGER.debug("Attempting to delete temporary files");
             final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success) {
+            if (!success && tempFileLocation.exists()) {
+                final String[] l = tempFileLocation.list();
+                if (l != null && l.length > 0) {
                     LOGGER.warn("Failed to delete some temporary files, see the log for more details");
                 }
             }
         }
+    }
 
     /**
      * Determines if the key value pair from the manifest is for an "import"
@@ -958,10 +899,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @return an list of fully qualified class names
      */
     private List<ClassNameInformation> collectClassNames(Dependency dependency) {
-        final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
-        JarFile jar = null;
-        try {
-            jar = new JarFile(dependency.getActualFilePath());
+        final List<ClassNameInformation> classNames = new ArrayList<>();
+        try (JarFile jar = new JarFile(dependency.getActualFilePath())) {
             final Enumeration<JarEntry> entries = jar.entries();
             while (entries.hasMoreElements()) {
                 final JarEntry entry = entries.nextElement();
@@ -975,14 +914,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (IOException ex) {
             LOGGER.warn("Unable to open jar file '{}'.", dependency.getFileName());
             LOGGER.debug("", ex);
-        } finally {
-            if (jar != null) {
-                try {
-                    jar.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("", ex);
-                }
-            }
         }
         return classNames;
     }
@@ -1007,13 +938,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 
             if (list.size() == 2) {
                 addEntry(product, list.get(1));
-            }
-            if (list.size() == 3) {
+            } else if (list.size() == 3) {
                 addEntry(vendor, list.get(1));
                 addEntry(product, list.get(1));
                 addEntry(product, list.get(2));
-            }
-            if (list.size() >= 4) {
+            } else if (list.size() >= 4) {
                 addEntry(vendor, list.get(1));
                 addEntry(vendor, list.get(2));
                 addEntry(product, list.get(1));
@@ -1127,6 +1056,16 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      */
     protected static class ClassNameInformation {
 
+        /**
+         * The fully qualified class name.
+         */
+        private String name;
+        /**
+         * Up to the first four levels of the package structure, excluding a
+         * leading "org" or "com".
+         */
+        private final ArrayList<String> packageStructure = new ArrayList<>();
+
         /**
          * <p>
          * Stores information about a given class name. This class will keep the
@@ -1134,7 +1073,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
          * package structure. Up to the first four levels of the package
          * structure are stored, excluding a leading "org" or "com".
          * Example:</p>
-         * <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
+         * <code>ClassNameInformation obj = new ClassNameInformation("org/owasp/dependencycheck/analyzer/JarAnalyzer");
          * System.out.println(obj.getName());
          * for (String p : obj.getPackageStructure())
          *     System.out.println(p);
@@ -1152,7 +1091,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         ClassNameInformation(String className) {
             name = className;
             if (name.contains("/")) {
-                final String[] tmp = className.toLowerCase().split("/");
+                final String[] tmp = StringUtils.split(className.toLowerCase(), '/');
                 int start = 0;
                 int end = 3;
                 if ("com".equals(tmp[0]) || "org".equals(tmp[0])) {
@@ -1162,17 +1101,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                 if (tmp.length <= end) {
                     end = tmp.length - 1;
                 }
-                for (int i = start; i <= end; i++) {
-                    packageStructure.add(tmp[i]);
-                }
+                packageStructure.addAll(Arrays.asList(tmp).subList(start, end + 1));
             } else {
                 packageStructure.add(name);
             }
         }
-        /**
-         * The fully qualified class name.
-         */
-        private String name;
 
         /**
          * Get the value of name
@@ -1191,11 +1124,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         public void setName(String name) {
             this.name = name;
         }
-        /**
-         * Up to the first four levels of the package structure, excluding a
-         * leading "org" or "com".
-         */
-        private final ArrayList<String> packageStructure = new ArrayList<String>();
 
         /**
          * Get the value of packageStructure
@@ -1214,7 +1142,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException thrown if unable to create temporary directory
      */
     private File getNextTempDirectory() throws AnalysisException {
-        dirCount += 1;
+        final int dirCount = DIR_COUNT.incrementAndGet();
         final File directory = new File(tempFileLocation, String.valueOf(dirCount));
         //getting an exception for some directories not being able to be created; might be because the directory already exists?
         if (directory.exists()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -35,6 +35,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
@@ -42,15 +43,18 @@ import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
+ * Analyzer which will attempt to locate a dependency on a Nexus service by
+ * SHA-1 digest of the dependency.
  *
  * There are two settings which govern this behavior:
  *
  * <ul>
- * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is even
- * enabled. This can be overridden by setting the system property.</li>
- * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by SHA-1.
- * There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED}
+ * determines whether this analyzer is even enabled. This can be overridden by
+ * setting the system property.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL}
+ * the URL to a Nexus service to search by SHA-1. There is an expected
+ * <code>%s</code> in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
@@ -58,7 +62,8 @@ import org.owasp.dependencycheck.utils.Settings;
 public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
-     * The default URL - this will be used by the CentralAnalyzer to determine whether to enable this.
+     * The default URL - this will be used by the CentralAnalyzer to determine
+     * whether to enable this.
      */
     public static final String DEFAULT_URL = "https://repository.sonatype.org/service/local/";
 
@@ -95,7 +100,8 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Determines if this analyzer is enabled
      *
-     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
+     * @return <code>true</code> if the analyzer is enabled; otherwise
+     * <code>false</code>
      */
     private boolean checkEnabled() {
         /* Enable this analyzer ONLY if the Nexus URL has been set to something
@@ -131,26 +137,25 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
-     * @throws Exception if there's an error during initialization
+     * @throws InitializationException if there's an error during initialization
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
         LOGGER.debug("Initializing Nexus Analyzer");
         LOGGER.debug("Nexus Analyzer enabled: {}", isEnabled());
         if (isEnabled()) {
+            final boolean useProxy = useProxy();
             final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
             LOGGER.debug("Nexus Analyzer URL: {}", searchUrl);
             try {
-                searcher = new NexusSearch(new URL(searchUrl));
+                searcher = new NexusSearch(new URL(searchUrl), useProxy);
                 if (!searcher.preflightRequest()) {
-                    LOGGER.warn("There was an issue getting Nexus status. Disabling analyzer.");
                     setEnabled(false);
+                    throw new InitializationException("There was an issue getting Nexus status. Disabling analyzer.");
                 }
             } catch (MalformedURLException mue) {
-                // I know that initialize can throw an exception, but we'll
-                // just disable the analyzer if the URL isn't valid
-                LOGGER.warn("Property {} not a valid URL. Nexus Analyzer disabled", searchUrl);
                 setEnabled(false);
+                throw new InitializationException("Malformed URL to Nexus: " + searchUrl, mue);
             }
         }
     }
@@ -166,7 +171,8 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -208,7 +214,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         if (!isEnabled()) {
             return;
         }
@@ -240,7 +246,8 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
                     LOGGER.warn("Unable to download pom.xml for {} from Nexus repository; "
                             + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                 } finally {
-                    if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
+                    if (pomFile != null && pomFile.exists() && !FileUtils.deleteQuietly(pomFile)) {
+                        LOGGER.debug("Failed to delete temporary pom file {}", pomFile.toString());
                         pomFile.deleteOnExit();
                     }
                 }
@@ -257,4 +264,19 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
             LOGGER.debug("Could not connect to nexus repository", ioe);
         }
     }
+
+    /**
+     * Determine if a proxy should be used.
+     *
+     * @return {@code true} if a proxy should be used
+     */
+    public static boolean useProxy() {
+        try {
+            return Settings.getString(Settings.KEYS.PROXY_SERVER) != null
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
+        } catch (InvalidSettingException ise) {
+            LOGGER.warn("Failed to parse proxy settings.", ise);
+            return false;
+        }
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -38,10 +38,11 @@ import javax.json.JsonObject;
 import javax.json.JsonReader;
 import javax.json.JsonString;
 import javax.json.JsonValue;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
- * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
- * associated CPE.
+ * Used to analyze Node Package Manager (npm) package.json files, and collect
+ * information that can be used to determine the associated CPE.
  *
  * @author Dale Visser
  */
@@ -84,7 +85,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
         // NO-OP
     }
 
@@ -109,7 +110,8 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -119,17 +121,9 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
-            throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         final File file = dependency.getActualFile();
-        JsonReader jsonReader;
-        try {
-            jsonReader = Json.createReader(FileUtils.openInputStream(file));
-        } catch (IOException e) {
-            throw new AnalysisException(
-                    "Problem occurred while reading dependency file.", e);
-        }
-        try {
+        try (JsonReader jsonReader = Json.createReader(FileUtils.openInputStream(file))) {
             final JsonObject json = jsonReader.readObject();
             final EvidenceCollection productEvidence = dependency.getProductEvidence();
             final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
@@ -149,13 +143,14 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
             dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
         } catch (JsonException e) {
             LOGGER.warn("Failed to parse package.json file.", e);
-        } finally {
-            jsonReader.close();
+        } catch (IOException e) {
+            throw new AnalysisException("Problem occurred while reading dependency file.", e);
         }
     }
 
     /**
-     * Adds information to an evidence collection from the node json configuration.
+     * Adds information to an evidence collection from the node json
+     * configuration.
      *
      * @param json information from node.js
      * @param collection a set of evidence about a dependency

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java

@@ -33,7 +33,7 @@ import org.slf4j.LoggerFactory;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
-import java.io.IOException;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
  * Analyzer which will parse a Nuspec file to gather module information.
@@ -65,10 +65,10 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
-     * @throws Exception if there's an error during initialization
+     * @throws InitializationException if there's an error during initialization
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
     }
 
     /**
@@ -82,7 +82,8 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -125,27 +126,15 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         LOGGER.debug("Checking Nuspec file {}", dependency);
         try {
             final NuspecParser parser = new XPathNuspecParser();
             NugetPackage np = null;
-            FileInputStream fis = null;
-            try {
-                fis = new FileInputStream(dependency.getActualFilePath());
+            try (FileInputStream fis = new FileInputStream(dependency.getActualFilePath())) {
                 np = parser.parse(fis);
-            } catch (NuspecParseException ex) {
+            } catch (NuspecParseException | FileNotFoundException ex) {
                 throw new AnalysisException(ex);
-            } catch (FileNotFoundException ex) {
-                throw new AnalysisException(ex);
-            } finally {
-                if (fis != null) {
-                    try {
-                        fis.close();
-                    } catch (IOException e) {
-                        LOGGER.debug("Error closing input stream");
-                    }
-                }
             }
 
             if (np.getOwners() != null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -27,19 +27,24 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.LoggerFactory;
 
 /**
- * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
- * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
+ * NvdCveAnalyzer is a utility class that takes a project dependency and
+ * attempts to discern if there is an associated CVEs. It uses the the
+ * identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long
  */
-public class NvdCveAnalyzer implements Analyzer {
+public class NvdCveAnalyzer extends AbstractAnalyzer {
 
     /**
-     * The maximum number of query results to return.
+     * The Logger for use throughout the class
      */
-    static final int MAX_QUERY_RESULTS = 100;
+    private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(NvdCveAnalyzer.class);
+
     /**
      * The CVE Index.
      */
@@ -51,18 +56,18 @@ public class NvdCveAnalyzer implements Analyzer {
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
-     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be
+     * loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
-        cveDB = new CveDB();
-        cveDB.open();
+        cveDB = CveDB.getInstance();
     }
 
     /**
      * Closes the data source.
      */
     @Override
-    public void close() {
+    public void closeAnalyzer() {
         cveDB.close();
         cveDB = null;
     }
@@ -77,27 +82,16 @@ public class NvdCveAnalyzer implements Analyzer {
     }
 
     /**
-     * Ensures that the CVE Database is closed.
-     *
-     * @throws Throwable when a throwable is thrown.
-     */
-    @Override
-    protected void finalize() throws Throwable {
-        super.finalize();
-        if (isOpen()) {
-            close();
-        }
-    }
-
-    /**
-     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
+     * Analyzes a dependency and attempts to determine if there are any CPE
+     * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the dependency
+     * @throws AnalysisException thrown if there is an issue analyzing the
+     * dependency
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
@@ -143,12 +137,38 @@ public class NvdCveAnalyzer implements Analyzer {
     }
 
     /**
-     * Opens the database used to gather NVD CVE data.
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
      *
-     * @throws Exception is thrown if there is an issue opening the index.
+     * @return the key for the analyzer's enabled property
      */
     @Override
-    public void initialize() throws Exception {
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NVD_CVE_ENABLED;
+    }
+
+    /**
+     * Opens the database used to gather NVD CVE data.
+     *
+     * @throws InitializationException is thrown if there is an issue opening
+     * the index.
+     */
+    @Override
+    public void initializeAnalyzer() throws InitializationException {
+        try {
             this.open();
+        } catch (SQLException ex) {
+            LOGGER.debug("SQL Exception initializing NvdCveAnalyzer", ex);
+            throw new InitializationException(ex);
+        } catch (IOException ex) {
+            LOGGER.debug("IO Exception initializing NvdCveAnalyzer", ex);
+            throw new InitializationException(ex);
+        } catch (DatabaseException ex) {
+            LOGGER.debug("Database Exception initializing NvdCveAnalyzer", ex);
+            throw new InitializationException(ex);
+        } catch (ClassNotFoundException ex) {
+            LOGGER.debug("Exception initializing NvdCveAnalyzer", ex);
+            throw new InitializationException(ex);
+        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java

@@ -31,6 +31,7 @@ import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
  * Used to analyze OpenSSL source code present in the file system.
@@ -101,7 +102,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
      * @param openSSLVersionConstant The open SSL version
      * @return the version of openssl
      */
-    static String getOpenSSLVersion(long openSSLVersionConstant) {
+    protected static String getOpenSSLVersion(long openSSLVersionConstant) {
         final long major = openSSLVersionConstant >>> MAJOR_OFFSET;
         final long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
         final long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
@@ -145,10 +146,10 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * No-op initializer implementation.
      *
-     * @throws Exception never thrown
+     * @throws InitializationException never thrown
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
         // Nothing to do here.
     }
 
@@ -161,7 +162,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
      * analyzing the dependency
      */
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File file = dependency.getActualFile();
         final String parentName = file.getParentFile().getName();

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -23,9 +23,10 @@ import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FilenameFilter;
+import java.io.IOException;
+import java.io.InputStream;
 import org.apache.commons.io.filefilter.NameFileFilter;
 import org.apache.commons.io.filefilter.SuffixFileFilter;
-import org.apache.commons.io.input.AutoCloseInputStream;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -37,16 +38,19 @@ import org.slf4j.LoggerFactory;
 
 import javax.mail.MessagingException;
 import javax.mail.internet.InternetHeaders;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.ExtractionException;
 import org.owasp.dependencycheck.utils.ExtractionUtil;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
+import java.util.concurrent.atomic.AtomicInteger;
 
 /**
- * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
- * to determine the associated CPE.
+ * Used to analyze a Wheel or egg distribution files, or their contents in
+ * unzipped form, and collect information that can be used to determine the
+ * associated CPE.
  *
  * @author Dale Visser
  */
@@ -70,9 +74,10 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
             .getLogger(PythonDistributionAnalyzer.class);
 
     /**
-     * The count of directories created during analysis. This is used for creating temporary directories.
+     * The count of directories created during analysis. This is used for
+     * creating temporary directories.
      */
-    private static int dirCount = 0;
+    private static final AtomicInteger DIR_COUNT = new AtomicInteger(0);
 
     /**
      * The name of the analyzer.
@@ -104,7 +109,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
     private File tempFileLocation;
 
     /**
-     * Filter that detects *.dist-info files (but doesn't verify they are directories.
+     * Filter that detects *.dist-info files (but doesn't verify they are
+     * directories.
      */
     private static final FilenameFilter DIST_INFO_FILTER = new SuffixFileFilter(
             ".dist-info");
@@ -164,7 +170,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -174,7 +181,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File actualFile = dependency.getActualFile();
         if (WHL_FILTER.accept(actualFile)) {
@@ -206,7 +213,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
      * @param dependency the archive being scanned
      * @param folderFilter the filter to apply to the folder
      * @param metadataFilter the filter to apply to the meta data
-     * @throws AnalysisException thrown when there is a problem analyzing the dependency
+     * @throws AnalysisException thrown when there is a problem analyzing the
+     * dependency
      */
     private void collectMetadataFromArchiveFormat(Dependency dependency,
             FilenameFilter folderFilter, FilenameFilter metadataFilter)
@@ -221,32 +229,43 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
             throw new AnalysisException(ex);
         }
 
-        collectWheelMetadata(
-                dependency,
-                getMatchingFile(getMatchingFile(temp, folderFilter),
-                        metadataFilter));
+        File matchingFile = getMatchingFile(temp, folderFilter);
+        if (matchingFile != null) {
+            matchingFile = getMatchingFile(matchingFile, metadataFilter);
+            if (matchingFile != null) {
+                collectWheelMetadata(dependency, matchingFile);
+            }
+        }
     }
 
     /**
      * Makes sure a usable temporary directory is available.
      *
-     * @throws Exception an AnalyzeException is thrown when the temp directory cannot be created
+     * @throws InitializationException an AnalyzeException is thrown when the
+     * temp directory cannot be created
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
+        try {
             final File baseDir = Settings.getTempDirectory();
             tempFileLocation = File.createTempFile("check", "tmp", baseDir);
             if (!tempFileLocation.delete()) {
+                setEnabled(false);
                 final String msg = String.format(
                         "Unable to delete temporary file '%s'.",
                         tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
+                throw new InitializationException(msg);
             }
             if (!tempFileLocation.mkdirs()) {
+                setEnabled(false);
                 final String msg = String.format(
                         "Unable to create directory '%s'.",
                         tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
+                throw new InitializationException(msg);
+            }
+        } catch (IOException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create a temporary file", ex);
         }
     }
 
@@ -254,13 +273,15 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
      * Deletes any files extracted from the Wheel during analysis.
      */
     @Override
-    public void close() {
+    public void closeAnalyzer() {
         if (tempFileLocation != null && tempFileLocation.exists()) {
             LOGGER.debug("Attempting to delete temporary files");
             final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success) {
-                LOGGER.warn(
-                        "Failed to delete some temporary files, see the log for more details");
+            if (!success && tempFileLocation.exists()) {
+                final String[] l = tempFileLocation.list();
+                if (l != null && l.length > 0) {
+                    LOGGER.warn("Failed to delete some temporary files, see the log for more details");
+                }
             }
         }
     }
@@ -312,7 +333,8 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns a list of files that match the given filter, this does not recursively scan the directory.
+     * Returns a list of files that match the given filter, this does not
+     * recursively scan the directory.
      *
      * @param folder the folder to filter
      * @param filter the filter to apply to the files in the directory
@@ -338,20 +360,20 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
         if (null == manifest) {
             LOGGER.debug("Manifest file not found.");
         } else {
-            try {
-                result.load(new AutoCloseInputStream(new BufferedInputStream(
-                        new FileInputStream(manifest))));
-            } catch (MessagingException e) {
-                LOGGER.warn(e.getMessage(), e);
-            } catch (FileNotFoundException e) {
+            try (InputStream in = new BufferedInputStream(new FileInputStream(manifest))) {
+                result.load(in);
+            } catch (MessagingException | FileNotFoundException e) {
                 LOGGER.warn(e.getMessage(), e);
+            } catch (IOException ex) {
+                LOGGER.warn(ex.getMessage(), ex);
             }
         }
         return result;
     }
 
     /**
-     * Retrieves the next temporary destination directory for extracting an archive.
+     * Retrieves the next temporary destination directory for extracting an
+     * archive.
      *
      * @return a directory
      * @throws AnalysisException thrown if unable to create temporary directory
@@ -362,7 +384,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
         // getting an exception for some directories not being able to be
         // created; might be because the directory already exists?
         do {
-            dirCount += 1;
+            final int dirCount = DIR_COUNT.incrementAndGet();
             directory = new File(tempFileLocation, String.valueOf(dirCount));
         } while (directory.exists());
         if (!directory.mkdirs()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -33,10 +33,9 @@ import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
-import java.util.ArrayList;
-import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
  * Used to analyze a Python package, and collect information that can be used to
@@ -144,10 +143,10 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * No-op initializer implementation.
      *
-     * @throws Exception never thrown
+     * @throws InitializationException never thrown
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
         // Nothing to do here.
     }
 
@@ -172,7 +171,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * analyzing the dependency
      */
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File file = dependency.getActualFile();
         final File parent = file.getParentFile();
@@ -192,11 +191,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
                 }
             }
         } else {
-            // copy, alter and set in case some other thread is iterating over
-            final List<Dependency> dependencies = new ArrayList<Dependency>(
-                    engine.getDependencies());
-            dependencies.remove(dependency);
-            engine.setDependencies(dependencies);
+            engine.getDependencies().remove(dependency);
         }
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -22,24 +22,27 @@ import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.io.UnsupportedEncodingException;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.nio.charset.Charset;
+
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 
 /**
  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party
@@ -50,6 +53,9 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 @Experimental
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
 
+    /**
+     * The logger.
+     */
     private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzer.class);
 
     /**
@@ -107,9 +113,17 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         if (!folder.isDirectory()) {
             throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath()));
         }
-        final List<String> args = new ArrayList<String>();
+        final List<String> args = new ArrayList<>();
         final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
-        args.add(null == bundleAuditPath ? "bundle-audit" : bundleAuditPath);
+        File bundleAudit = null;
+        if (bundleAuditPath != null) {
+            bundleAudit = new File(bundleAuditPath);
+            if (!bundleAudit.isFile()) {
+                LOGGER.warn("Supplied `bundleAudit` path is incorrect: " + bundleAuditPath);
+                bundleAudit = null;
+            }
+        }
+        args.add(bundleAudit != null && bundleAudit.isFile() ? bundleAudit.getAbsolutePath() : "bundle-audit");
         args.add("check");
         args.add("--verbose");
         final ProcessBuilder builder = new ProcessBuilder(args);
@@ -118,7 +132,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
             LOGGER.info("Launching: " + args + " from " + folder);
             return builder.start();
         } catch (IOException ioe) {
-            throw new AnalysisException("bundle-audit failure", ioe);
+            throw new AnalysisException("bundle-audit initialization failure; this error can be ignored if you are not analyzing Ruby. "
+                    + "Otherwise ensure that bundle-audit is installed and the path to bundle audit is correctly specified", ioe);
         }
     }
 
@@ -126,56 +141,64 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
      * Initialize the analyzer. In this case, extract GrokAssembly.exe to a
      * temporary location.
      *
-     * @throws Exception if anything goes wrong
+     * @throws InitializationException if anything goes wrong
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
         try {
-            cvedb = new CveDB();
-            cvedb.open();
+            cvedb = CveDB.getInstance();
         } catch (DatabaseException ex) {
             LOGGER.warn("Exception opening the database");
             LOGGER.debug("error", ex);
             setEnabled(false);
-            throw ex;
+            throw new InitializationException("Error connecting to the database", ex);
         }
         // Now, need to see if bundle-audit actually runs from this location.
         Process process = null;
         try {
             process = launchBundleAudit(Settings.getTempDirectory());
         } catch (AnalysisException ae) {
-            LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME);
+
             setEnabled(false);
-            cvedb.close();
-            cvedb = null;
-            throw ae;
+            final String msg = String.format("Exception from bundle-audit process: %s. Disabling %s", ae.getCause(), ANALYZER_NAME);
+            throw new InitializationException(msg, ae);
+        } catch (IOException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create temporary file, the Ruby Bundle Audit Analyzer will be disabled", ex);
         }
 
-        final int exitValue = process.waitFor();
-        if (0 == exitValue) {
-            LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
-            setEnabled(false);
-            throw new AnalysisException("Unexpected exit code from bundle-audit process.");
-        } else {
-            BufferedReader reader = null;
+        final int exitValue;
         try {
-                reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+            exitValue = process.waitFor();
+        } catch (InterruptedException ex) {
+            setEnabled(false);
+            final String msg = String.format("Bundle-audit process was interrupted. Disabling %s", ANALYZER_NAME);
+            throw new InitializationException(msg);
+        }
+        if (0 == exitValue) {
+            setEnabled(false);
+            final String msg = String.format("Unexpected exit code from bundle-audit process. Disabling %s: %s", ANALYZER_NAME, exitValue);
+            throw new InitializationException(msg);
+        } else {
+            try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) {
                 if (!reader.ready()) {
                     LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME);
                     setEnabled(false);
-                    throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
+                    throw new InitializationException("Bundle-audit error stream unexpectedly not ready.");
                 } else {
                     final String line = reader.readLine();
                     if (line == null || !line.contains("Errno::ENOENT")) {
                         LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
                         setEnabled(false);
-                        throw new AnalysisException("Unexpected bundle-audit output.");
+                        throw new InitializationException("Unexpected bundle-audit output.");
                     }
                 }
-            } finally {
-                if (null != reader) {
-                    reader.close();
-                }
+            } catch (UnsupportedEncodingException ex) {
+                setEnabled(false);
+                throw new InitializationException("Unexpected bundle-audit encoding.", ex);
+            } catch (IOException ex) {
+                setEnabled(false);
+                throw new InitializationException("Unable to read bundle-audit output.", ex);
             }
         }
 
@@ -185,6 +208,17 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         }
     }
 
+    /**
+     * Closes the data source.
+     */
+    @Override
+    public void closeAnalyzer() {
+        if (cvedb != null) {
+            cvedb.close();
+            cvedb = null;
+        }
+    }
+
     /**
      * Returns the name of the analyzer.
      *
@@ -217,7 +251,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have
+     * If {@link #analyzeDependency(Dependency, Engine)} is called, then we have
      * successfully initialized, and it will be necessary to disable
      * {@link RubyGemspecAnalyzer}.
      */
@@ -231,7 +265,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException thrown if there is an analysis exception.
      */
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         if (needToDisableGemspecAnalyzer) {
             boolean failed = true;
@@ -253,41 +287,30 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         }
         final File parentFile = dependency.getActualFile().getParentFile();
         final Process process = launchBundleAudit(parentFile);
+        final int exitValue;
         try {
-            process.waitFor();
+            exitValue = process.waitFor();
         } catch (InterruptedException ie) {
             throw new AnalysisException("bundle-audit process interrupted", ie);
         }
-        BufferedReader rdr = null;
-        BufferedReader errReader = null;
+        if (exitValue < 0 || exitValue > 1) {
+            final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue);
+            throw new AnalysisException(msg);
+        }
         try {
-            errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+            try (BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) {
                 while (errReader.ready()) {
                     final String error = errReader.readLine();
                     LOGGER.warn(error);
                 }
-            rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
+            }
+            try (BufferedReader rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"))) {
                 processBundlerAuditOutput(dependency, engine, rdr);
+            }
         } catch (IOException ioe) {
             LOGGER.warn("bundle-audit failure", ioe);
-        } finally {
-            if (errReader != null) {
-                try {
-                    errReader.close();
-                } catch (IOException ioe) {
-                    LOGGER.warn("bundle-audit close failure", ioe);
         }
     }
-            if (null != rdr) {
-                try {
-                    rdr.close();
-                } catch (IOException ioe) {
-                    LOGGER.warn("bundle-audit close failure", ioe);
-                }
-            }
-        }
-
-    }
 
     /**
      * Processes the bundler audit output.
@@ -304,7 +327,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         Dependency dependency = null;
         Vulnerability vulnerability = null;
         String gem = null;
-        final Map<String, Dependency> map = new HashMap<String, Dependency>();
+        final Map<String, Dependency> map = new HashMap<>();
         boolean appendToDescription = false;
         while (rdr.ready()) {
             final String nextLine = rdr.readLine();
@@ -333,13 +356,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                             + "Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 "
                             + " indicates unknown). See link below for full details. *** ");
                 }
-            } else if (appendToDescription) {
-                if (null != vulnerability) {
+            } else if (appendToDescription && null != vulnerability) {
                 vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
             }
         }
     }
-    }
 
     /**
      * Sets the vulnerability name.
@@ -456,7 +477,9 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String filePath, String gem) throws IOException {
         final File gemFile = new File(Settings.getTempDirectory(), gem + "_Gemfile.lock");
-        gemFile.createNewFile();
+        if (!gemFile.createNewFile()) {
+            throw new IOException("Unable to create temporary gem file");
+        }
         final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
 
         FileUtils.write(gemFile, displayFileName, Charset.defaultCharset()); // unique contents to avoid dependency bundling

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
- * Copyright (c) 2016 Bianca Jiang. All Rights Reserved.
+ * Copyright (c) 2016 IBM Corporation. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
@@ -27,8 +27,9 @@ import org.owasp.dependencycheck.dependency.Dependency;
 /**
  * This analyzer accepts the fully resolved .gemspec created by the Ruby bundler
  * (http://bundler.io) for better evidence results. It also tries to resolve the
- * dependency packagePath to where the gem is actually installed. Then during {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
- * {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies
+ * dependency packagePath to where the gem is actually installed. Then during
+ * the {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
+ * {@link DependencyMergingAnalyzer} will merge two .gemspec dependencies
  * together if <code>Dependency.getPackagePath()</code> are the same.
  *
  * Ruby bundler creates new .gemspec files under a folder called
@@ -39,11 +40,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * can't be used for evidences.
  *
  * Note this analyzer share the same
- * {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} as
- * {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
+ * {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED}
+ * as {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
  * {@link RubyGemspecAnalyzer}.
  *
- * @author Bianca Jiang (biancajiang@gmail.com)
+ * @author Bianca Jiang (https://twitter.com/biancajiang)
  */
 @Experimental
 public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
@@ -93,9 +94,9 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
     }
 
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
-        super.analyzeFileType(dependency, engine);
+        super.analyzeDependency(dependency, engine);
 
         //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
         final File gemspecFile = dependency.getActualFile();
@@ -108,6 +109,7 @@ public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
                 final File gemsDir = new File(parentDir, GEMS);
                 if (gemsDir.exists()) {
                     final File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
+                        @Override
                         public boolean accept(File dir, String name) {
                             return name.equals(gemName);
                         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -32,6 +32,7 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
@@ -88,7 +89,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
+    protected void initializeFileTypeAnalyzer() throws InitializationException {
         // NO-OP
     }
 
@@ -129,7 +130,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     private static final Pattern GEMSPEC_BLOCK_INIT = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
 
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         String contents;
         try {
@@ -211,10 +212,14 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
         final File parentDir = dependencyFile.getParentFile();
         if (parentDir != null) {
             final File[] matchingFiles = parentDir.listFiles(new FilenameFilter() {
+                @Override
                 public boolean accept(File dir, String name) {
                     return name.contains(VERSION_FILE_NAME);
                 }
             });
+            if (matchingFiles == null) {
+                return;
+            }
             for (File f : matchingFiles) {
                 try {
                     final List<String> lines = FileUtils.readLines(f, Charset.defaultCharset());

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java

@@ -0,0 +1,192 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 IBM Corporation. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * This analyzer is used to analyze the SWIFT Package Manager
+ * (https://swift.org/package-manager/). It collects information about a package
+ * from Package.swift files.
+ *
+ * @author Bianca Jiang (https://twitter.com/biancajiang)
+ */
+@Experimental
+public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "SWIFT Package Manager Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The file name to scan.
+     */
+    public static final String SPM_FILE_NAME = "Package.swift";
+
+    /**
+     * Filter that detects files named "package.json".
+     */
+    private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_FILE_NAME).build();
+
+    /**
+     * The capture group #1 is the block variable. e.g. "import
+     * PackageDescription let package = Package( name: "Gloss" )"
+     */
+    private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL);
+
+    /**
+     * Returns the FileFilter
+     *
+     * @return the FileFilter
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return SPM_FILE_FILTER;
+    }
+
+    @Override
+    protected void initializeFileTypeAnalyzer() {
+        // NO-OP
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED;
+    }
+
+    @Override
+    protected void analyzeDependency(Dependency dependency, Engine engine)
+            throws AnalysisException {
+
+        String contents;
+        try {
+            contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
+        } catch (IOException e) {
+            throw new AnalysisException(
+                    "Problem occurred while reading dependency file.", e);
+        }
+        final Matcher matcher = SPM_BLOCK_PATTERN.matcher(contents);
+        if (matcher.find()) {
+            final String packageDescription = matcher.group(1);
+            if (packageDescription.isEmpty()) {
+                return;
+            }
+
+            final EvidenceCollection product = dependency.getProductEvidence();
+            final EvidenceCollection vendor = dependency.getVendorEvidence();
+
+            //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies.
+            //Future interesting metadata: version, license, homepage, author, summary, etc.
+            final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST);
+            if (name != null && !name.isEmpty()) {
+                vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST);
+            }
+        }
+        setPackagePath(dependency);
+    }
+
+    /**
+     * Extracts evidence from the package description and adds it to the given
+     * evidence collection.
+     *
+     * @param evidences the evidence collection to update
+     * @param packageDescription the text to extract evidence from
+     * @param field the name of the field being searched for
+     * @param fieldPattern the field pattern within the contents to search for
+     * @param confidence the confidence level of the evidence if found
+     * @return the string that was added as evidence
+     */
+    private String addStringEvidence(EvidenceCollection evidences,
+            String packageDescription, String field, String fieldPattern, Confidence confidence) {
+        String value = "";
+
+        final Matcher matcher = Pattern.compile(
+                String.format("%s *:\\s*\"([^\"]*)", fieldPattern), Pattern.DOTALL).matcher(packageDescription);
+        if (matcher.find()) {
+            value = matcher.group(1);
+        }
+
+        if (value != null) {
+            value = value.trim();
+            if (value.length() > 0) {
+                evidences.addEvidence(SPM_FILE_NAME, field, value, confidence);
+            }
+        }
+
+        return value;
+    }
+
+    /**
+     * Sets the package path on the given dependency.
+     *
+     * @param dep the dependency to update
+     */
+    private void setPackagePath(Dependency dep) {
+        final File file = new File(dep.getFilePath());
+        final String parent = file.getParent();
+        if (parent != null) {
+            dep.setPackagePath(parent);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VersionFilterAnalyzer.java

@@ -0,0 +1,167 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Iterator;
+import java.util.Objects;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This analyzer attempts to filter out erroneous version numbers collected.
+ * Initially, this will focus on JAR files that contain a POM version number
+ * that matches the file name - if identified all other version information will
+ * be removed.
+ *
+ * @author Jeremy Long
+ */
+public class VersionFilterAnalyzer extends AbstractAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="Constants">
+    /**
+     * Evidence source.
+     */
+    private static final String FILE = "file";
+    /**
+     * Evidence source.
+     */
+    private static final String POM = "pom";
+    /**
+     * Evidence source.
+     */
+    private static final String NEXUS = "nexus";
+    /**
+     * Evidence source.
+     */
+    private static final String CENTRAL = "central";
+    /**
+     * Evidence source.
+     */
+    private static final String MANIFEST = "Manifest";
+    /**
+     * Evidence name.
+     */
+    private static final String VERSION = "version";
+    /**
+     * Evidence name.
+     */
+    private static final String IMPLEMENTATION_VERSION = "Implementation-Version";
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Version Filter Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_INFORMATION_COLLECTION;
+
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Standard implementation of Analyzer">
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the setting key to determine if the analyzer is enabled.
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_VERSION_FILTER_ENABLED;
+    }
+    //</editor-fold>
+
+    /**
+     * The Logger for use throughout the class
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(VersionFilterAnalyzer.class);
+
+    /**
+     * The HintAnalyzer uses knowledge about a dependency to add additional
+     * information to help in identification of identifiers or vulnerabilities.
+     *
+     * @param dependency The dependency being analyzed
+     * @param engine The scanning engine
+     * @throws AnalysisException is thrown if there is an exception analyzing
+     * the dependency.
+     */
+    @Override
+    protected synchronized void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        String fileVersion = null;
+        String pomVersion = null;
+        String manifestVersion = null;
+        for (Evidence e : dependency.getVersionEvidence()) {
+            if (FILE.equals(e.getSource()) && VERSION.equals(e.getName())) {
+                fileVersion = e.getValue(Boolean.FALSE);
+            } else if ((NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource())
+                    || POM.equals(e.getSource())) && VERSION.equals(e.getName())) {
+                pomVersion = e.getValue(Boolean.FALSE);
+            } else if (MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName())) {
+                manifestVersion = e.getValue(Boolean.FALSE);
+            }
+        }
+        //ensure we have at least two not null
+        if (((fileVersion == null ? 0 : 1) + (pomVersion == null ? 0 : 1) + (manifestVersion == null ? 0 : 1)) > 1) {
+            final DependencyVersion dvFile = new DependencyVersion(fileVersion);
+            final DependencyVersion dvPom = new DependencyVersion(pomVersion);
+            final DependencyVersion dvManifest = new DependencyVersion(manifestVersion);
+            final boolean fileMatch = Objects.equals(dvFile, dvPom) || Objects.equals(dvFile, dvManifest);
+            final boolean manifestMatch = Objects.equals(dvManifest, dvPom) || Objects.equals(dvManifest, dvFile);
+            final boolean pomMatch = Objects.equals(dvPom, dvFile) || Objects.equals(dvPom, dvManifest);
+            if (fileMatch || manifestMatch || pomMatch) {
+                LOGGER.debug("filtering evidence from {}", dependency.getFileName());
+                final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
+                final Iterator<Evidence> itr = versionEvidence.iterator();
+                while (itr.hasNext()) {
+                    final Evidence e = itr.next();
+                    if (!(pomMatch && VERSION.equals(e.getName())
+                            && (NEXUS.equals(e.getSource()) || CENTRAL.equals(e.getSource()) || POM.equals(e.getSource())))
+                            && !(fileMatch && VERSION.equals(e.getName()) && FILE.equals(e.getSource()))
+                            && !(manifestMatch && MANIFEST.equals(e.getSource()) && IMPLEMENTATION_VERSION.equals(e.getName()))) {
+                        itr.remove();
+                    }
+                }
+            }
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java

@@ -20,11 +20,13 @@ package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 
 /**
- * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
- * Any identified Vulnerability entries within the dependencies that match will be removed.
+ * The suppression analyzer processes an externally defined XML document that
+ * complies with the suppressions.xsd schema. Any identified Vulnerability
+ * entries within the dependencies that match will be removed.
  *
  * @author Jeremy Long
  */
@@ -59,10 +61,29 @@ public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyze
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_VULNERABILITY_SUPPRESSION_ENABLED;
+    }
     //</editor-fold>
 
+    /**
+     * Analyzes a dependency's vulnerabilities against the configured CVE
+     * suppressions.
+     *
+     * @param dependency the dependency being analyzed
+     * @param engine a reference to the engine orchestrating the analysis
+     * @throws AnalysisException thrown if there is an error during analysis
+     */
     @Override
-    public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
 
         if (getRules() == null || getRules().size() <= 0) {
             return;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -24,17 +24,20 @@ import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
+import org.owasp.dependencycheck.utils.XmlUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
 
 /**
  * Class of methods to search Maven Central via Central.
@@ -51,7 +54,7 @@ public class CentralSearch {
     /**
      * Whether to use the Proxy when making requests
      */
-    private boolean useProxy;
+    private final boolean useProxy;
 
     /**
      * Used for logging.
@@ -61,8 +64,8 @@ public class CentralSearch {
     /**
      * Creates a NexusSearch for the given repository URL.
      *
-     * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
-     * end in /select)
+     * @param rootURL the URL of the repository on which searches should
+     * execute. Only parameters are added to this (so it should end in /select)
      */
     public CentralSearch(URL rootURL) {
         this.rootURL = rootURL;
@@ -76,18 +79,20 @@ public class CentralSearch {
     }
 
     /**
-     * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
-     * populated with the GAV.
+     * Searches the configured Central URL for the given sha1 hash. If the
+     * artifact is found, a <code>MavenArtifact</code> is populated with the
+     * GAV.
      *
      * @param sha1 the SHA-1 hash string for which to search
      * @return the populated Maven GAV.
-     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
+     * @throws IOException if it's unable to connect to the specified repository
+     * or if the specified artifact is not found.
      */
     public List<MavenArtifact> searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
             throw new IllegalArgumentException("Invalid SHA1 format");
         }
-
+        List<MavenArtifact> result = null;
         final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
 
         LOGGER.debug("Searching Central url {}", url);
@@ -108,15 +113,14 @@ public class CentralSearch {
         if (conn.getResponseCode() == 200) {
             boolean missing = false;
             try {
-                final DocumentBuilder builder = DocumentBuilderFactory
-                        .newInstance().newDocumentBuilder();
+                final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
                 final Document doc = builder.parse(conn.getInputStream());
                 final XPath xpath = XPathFactory.newInstance().newXPath();
                 final String numFound = xpath.evaluate("/response/result/@numFound", doc);
                 if ("0".equals(numFound)) {
                     missing = true;
                 } else {
-                    final List<MavenArtifact> result = new ArrayList<MavenArtifact>();
+                    result = new ArrayList<>();
                     final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
                     for (int i = 0; i < docs.getLength(); i++) {
                         final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
@@ -124,11 +128,11 @@ public class CentralSearch {
                         final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
                         LOGGER.trace("ArtifactId: {}", a);
                         final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
-                        NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
+                        NodeList attributes = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
                         boolean pomAvailable = false;
                         boolean jarAvailable = false;
-                        for (int x = 0; x < atts.getLength(); x++) {
-                            final String tmp = xpath.evaluate(".", atts.item(x));
+                        for (int x = 0; x < attributes.getLength(); x++) {
+                            final String tmp = xpath.evaluate(".", attributes.item(x));
                             if (".pom".equals(tmp)) {
                                 pomAvailable = true;
                             } else if (".jar".equals(tmp)) {
@@ -136,24 +140,20 @@ public class CentralSearch {
                             }
                         }
 
-                        atts = (NodeList) xpath.evaluate("./arr[@name='tags']/str", docs.item(i), XPathConstants.NODESET);
+                        attributes = (NodeList) xpath.evaluate("./arr[@name='tags']/str", docs.item(i), XPathConstants.NODESET);
                         boolean useHTTPS = false;
-                        for (int x = 0; x < atts.getLength(); x++) {
-                            final String tmp = xpath.evaluate(".", atts.item(x));
+                        for (int x = 0; x < attributes.getLength(); x++) {
+                            final String tmp = xpath.evaluate(".", attributes.item(x));
                             if ("https".equals(tmp)) {
                                 useHTTPS = true;
                             }
                         }
-
                         LOGGER.trace("Version: {}", v);
                         result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS));
                     }
-
-                    return result;
                 }
-            } catch (Throwable e) {
-                // Anything else is jacked up XML stuff that we really can't recover
-                // from well
+            } catch (ParserConfigurationException | IOException | SAXException | XPathExpressionException e) {
+                // Anything else is jacked up XML stuff that we really can't recover from well
                 throw new IOException(e.getMessage(), e);
             }
 
@@ -165,7 +165,6 @@ public class CentralSearch {
                     conn.getResponseCode(), conn.getResponseMessage());
             throw new IOException("Could not connect to Central");
         }
-
-        return null;
+        return result;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java

@@ -18,7 +18,7 @@
 package org.owasp.dependencycheck.data.composer;
 
 /**
- * Reperesents a dependency (GAV, right now) from a Composer dependency.
+ * Represents a dependency (GAV, right now) from a Composer dependency.
  *
  * @author colezlaw
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java

@@ -42,11 +42,6 @@ public class ComposerLockParser {
      */
     private final JsonReader jsonReader;
 
-    /**
-     * The input stream we'll read
-     */
-    private final InputStream inputStream; // NOPMD - it gets set in the constructor, read later
-
     /**
      * The List of ComposerDependencies found
      */
@@ -58,15 +53,14 @@ public class ComposerLockParser {
     private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockParser.class);
 
     /**
-     * Createas a ComposerLockParser from a JsonReader and an InputStream.
+     * Creates a ComposerLockParser from a JsonReader and an InputStream.
      *
      * @param inputStream the InputStream to parse
      */
     public ComposerLockParser(InputStream inputStream) {
         LOGGER.info("Creating a ComposerLockParser");
-        this.inputStream = inputStream;
         this.jsonReader = Json.createReader(inputStream);
-        this.composerDependencies = new ArrayList<ComposerDependency>();
+        this.composerDependencies = new ArrayList<>();
     }
 
     /**
@@ -87,7 +81,7 @@ public class ComposerLockParser {
                                 final String group = groupName.substring(0, groupName.indexOf('/'));
                                 final String project = groupName.substring(groupName.indexOf('/') + 1);
                                 String version = pkg.getString("version");
-                                // Some version nubmers begin with v - which doesn't end up matching CPE's
+                                // Some version numbers begin with v - which doesn't end up matching CPE's
                                 if (version.startsWith("v")) {
                                     version = version.substring(1);
                                 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -38,7 +38,6 @@ import org.apache.lucene.search.IndexSearcher;
 import org.apache.lucene.search.Query;
 import org.apache.lucene.search.TopDocs;
 import org.apache.lucene.store.RAMDirectory;
-import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
 import org.owasp.dependencycheck.data.lucene.LuceneUtils;
 import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
@@ -48,8 +47,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within the NVD
- * CVE data.
+ * An in memory lucene index that contains the vendor/product combinations from
+ * the CPE (application) identifiers within the NVD CVE data.
  *
  * @author Jeremy Long
  */
@@ -63,21 +62,6 @@ public final class CpeMemoryIndex {
      * singleton instance.
      */
     private static final CpeMemoryIndex INSTANCE = new CpeMemoryIndex();
-
-    /**
-     * private constructor for singleton.
-     */
-    private CpeMemoryIndex() {
-    }
-
-    /**
-     * Gets the singleton instance of the CpeMemoryIndex.
-     *
-     * @return the instance of the CpeMemoryIndex
-     */
-    public static CpeMemoryIndex getInstance() {
-        return INSTANCE;
-    }
     /**
      * The in memory Lucene index.
      */
@@ -101,11 +85,30 @@ public final class CpeMemoryIndex {
     /**
      * The search field analyzer for the product field.
      */
-    private SearchFieldAnalyzer productSearchFieldAnalyzer;
+    private SearchFieldAnalyzer productFieldAnalyzer;
     /**
      * The search field analyzer for the vendor field.
      */
-    private SearchFieldAnalyzer vendorSearchFieldAnalyzer;
+    private SearchFieldAnalyzer vendorFieldAnalyzer;
+    /**
+     * A flag indicating whether or not the index is open.
+     */
+    private boolean openState = false;
+
+    /**
+     * private constructor for singleton.
+     */
+    private CpeMemoryIndex() {
+    }
+
+    /**
+     * Gets the singleton instance of the CpeMemoryIndex.
+     *
+     * @return the instance of the CpeMemoryIndex
+     */
+    public static CpeMemoryIndex getInstance() {
+        return INSTANCE;
+    }
 
     /**
      * Creates and loads data into an in memory index.
@@ -130,10 +133,6 @@ public final class CpeMemoryIndex {
             }
         }
     }
-    /**
-     * A flag indicating whether or not the index is open.
-     */
-    private boolean openState = false;
 
     /**
      * returns whether or not the index is open.
@@ -144,31 +143,20 @@ public final class CpeMemoryIndex {
         return openState;
     }
 
-    /**
-     * Creates the indexing analyzer for the CPE Index.
-     *
-     * @return the CPE Analyzer.
-     */
-    private Analyzer createIndexingAnalyzer() {
-        final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
-        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
-        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
-    }
-
     /**
      * Creates an Analyzer for searching the CPE Index.
      *
      * @return the CPE Analyzer.
      */
     private Analyzer createSearchingAnalyzer() {
-        final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
+        final Map<String, Analyzer> fieldAnalyzers = new HashMap<>();
         fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
-        productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
-        vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
-        fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
-        fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
+        productFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
+        vendorFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
+        fieldAnalyzers.put(Fields.PRODUCT, productFieldAnalyzer);
+        fieldAnalyzers.put(Fields.VENDOR, vendorFieldAnalyzer);
 
-        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
+        return new PerFieldAnalyzerWrapper(new KeywordAnalyzer(), fieldAnalyzers);
     }
 
     /**
@@ -203,13 +191,8 @@ public final class CpeMemoryIndex {
      * @throws IndexException thrown if there is an issue creating the index
      */
     private void buildIndex(CveDB cve) throws IndexException {
-        Analyzer analyzer = null;
-        IndexWriter indexWriter = null;
-        try {
-            analyzer = createIndexingAnalyzer();
-            final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
-            indexWriter = new IndexWriter(index, conf);
-            try {
+        try (Analyzer analyzer = createSearchingAnalyzer();
+                IndexWriter indexWriter = new IndexWriter(index, new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer))) {
             // Tip: reuse the Document and Fields for performance...
             // See "Re-use Document and Field instances" from
             // http://wiki.apache.org/lucene-java/ImproveIndexingSpeed
@@ -221,47 +204,34 @@ public final class CpeMemoryIndex {
 
             final Set<Pair<String, String>> data = cve.getVendorProductList();
             for (Pair<String, String> pair : data) {
+                if (pair.getLeft() != null && pair.getRight() != null) {
                     v.setStringValue(pair.getLeft());
                     p.setStringValue(pair.getRight());
                     indexWriter.addDocument(doc);
+                    resetFieldAnalyzer();
                 }
+            }
+            indexWriter.commit();
+            indexWriter.close(true);
         } catch (DatabaseException ex) {
             LOGGER.debug("", ex);
             throw new IndexException("Error reading CPE data", ex);
-            }
         } catch (CorruptIndexException ex) {
             throw new IndexException("Unable to close an in-memory index", ex);
         } catch (IOException ex) {
             throw new IndexException("Unable to close an in-memory index", ex);
-        } finally {
-            if (indexWriter != null) {
-                try {
-                    try {
-                        indexWriter.commit();
-                    } finally {
-                        indexWriter.close(true);
-                    }
-                } catch (CorruptIndexException ex) {
-                    throw new IndexException("Unable to close an in-memory index", ex);
-                } catch (IOException ex) {
-                    throw new IndexException("Unable to close an in-memory index", ex);
-                }
-                if (analyzer != null) {
-                    analyzer.close();
-                }
-            }
         }
     }
 
     /**
-     * Resets the searching analyzers
+     * Resets the product and vendor field analyzers.
      */
-    private void resetSearchingAnalyzer() {
-        if (productSearchFieldAnalyzer != null) {
-            productSearchFieldAnalyzer.clear();
+    private void resetFieldAnalyzer() {
+        if (productFieldAnalyzer != null) {
+            productFieldAnalyzer.clear();
         }
-        if (vendorSearchFieldAnalyzer != null) {
-            vendorSearchFieldAnalyzer.clear();
+        if (vendorFieldAnalyzer != null) {
+            vendorFieldAnalyzer.clear();
         }
     }
 
@@ -272,13 +242,15 @@ public final class CpeMemoryIndex {
      * @param maxQueryResults the maximum number of documents to return
      * @return the TopDocs found by the search
      * @throws ParseException thrown when the searchString is invalid
-     * @throws IOException is thrown if there is an issue with the underlying Index
+     * @throws IOException is thrown if there is an issue with the underlying
+     * Index
      */
-    public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
+    public synchronized TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
         if (searchString == null || searchString.trim().isEmpty()) {
             throw new ParseException("Query is null or empty");
         }
         LOGGER.debug(searchString);
+        resetFieldAnalyzer();
         final Query query = queryParser.parse(searchString);
         return search(query, maxQueryResults);
     }
@@ -292,8 +264,8 @@ public final class CpeMemoryIndex {
      * @throws CorruptIndexException thrown if the Index is corrupt
      * @throws IOException thrown if there is an IOException
      */
-    public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
-        resetSearchingAnalyzer();
+    public synchronized TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
+        resetFieldAnalyzer();
         return indexSearcher.search(query, maxQueryResults);
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck.data.cpe;
 import java.io.Serializable;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
+import org.apache.commons.lang3.StringUtils;
 
 /**
  * A CPE entry containing the name, vendor, product, and version.
@@ -31,7 +32,7 @@ public class IndexEntry implements Serializable {
     /**
      * the serial version uid.
      */
-    static final long serialVersionUID = 8011924485946326934L;
+    private static final long serialVersionUID = 8011924485946326934L;
     /**
      * The vendor name.
      */
@@ -143,7 +144,8 @@ public class IndexEntry implements Serializable {
      */
     public void parseName(String cpeName) throws UnsupportedEncodingException {
         if (cpeName != null && cpeName.length() > 7) {
-            final String[] data = cpeName.substring(7).split(":");
+            final String cpeNameWithoutPrefix = cpeName.substring(7);
+            final String[] data = StringUtils.split(cpeNameWithoutPrefix, ':');
             if (data.length >= 1) {
                 vendor = URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8");
                 if (data.length >= 2) {
@@ -172,10 +174,7 @@ public class IndexEntry implements Serializable {
         if ((this.vendor == null) ? (other.vendor != null) : !this.vendor.equals(other.vendor)) {
             return false;
         }
-        if ((this.product == null) ? (other.product != null) : !this.product.equals(other.product)) {
-            return false;
-        }
-        return true;
+        return !((this.product == null) ? (other.product != null) : !this.product.equals(other.product));
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -54,12 +54,10 @@ public final class CweDB {
      * @return a HashMap of CWE data
      */
     private static Map<String, String> loadData() {
-        ObjectInputStream oin = null;
-        try {
         final String filePath = "data/cwe.hashmap.serialized";
-            final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
-            oin = new ObjectInputStream(input);
-            @SuppressWarnings("unchecked")
+        try (InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
+                ObjectInputStream oin = new ObjectInputStream(input)) {
+
             final Map<String, String> ret = (HashMap<String, String>) oin.readObject();
             return ret;
         } catch (ClassNotFoundException ex) {
@@ -68,14 +66,6 @@ public final class CweDB {
         } catch (IOException ex) {
             LOGGER.warn("Unable to load CWE data due to an IO Error. This should not be an issue.");
             LOGGER.debug("", ex);
-        } finally {
-            if (oin != null) {
-                try {
-                    oin.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("", ex);
-                }
-            }
         }
         return null;
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -32,7 +32,7 @@ public class CweHandler extends DefaultHandler {
     /**
      * a HashMap containing the CWE data.
      */
-    private final HashMap<String, String> cwe = new HashMap<String, String>();
+    private final HashMap<String, String> cwe = new HashMap<>();
 
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java

@@ -63,7 +63,7 @@ public abstract class AbstractTokenizingFilter extends TokenFilter {
      */
     public AbstractTokenizingFilter(TokenStream stream) {
         super(stream);
-        tokens = new LinkedList<String>();
+        tokens = new LinkedList<>();
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -29,11 +29,15 @@ import org.apache.lucene.util.Version;
 
 /**
  * <p>
- * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended
- * purpose of this Analyzer is to index the CPE fields vendor and product.</p>
+ * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter,
+ * LowerCaseFilter, and StopFilter. The intended purpose of this Analyzer is to
+ * index the CPE fields vendor and product.</p>
  *
  * @author Jeremy Long
+ * @deprecated the field analyzer should not be used, instead use the
+ * SearchFieldAnalyzer so that the token analyzing filter is used.
  */
+@Deprecated
 public class FieldAnalyzer extends Analyzer {
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -71,7 +71,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
      */
     public TokenPairConcatenatingFilter(TokenStream stream) {
         super(stream);
-        words = new LinkedList<String>();
+        words = new LinkedList<>();
     }
 
     /**
@@ -156,10 +156,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
         if ((this.previousWord == null) ? (other.previousWord != null) : !this.previousWord.equals(other.previousWord)) {
             return false;
         }
-        if (this.words != other.words && (this.words == null || !this.words.equals(other.words))) {
-            return false;
-        }
-        return true;
+        return !(this.words != other.words && (this.words == null || !this.words.equals(other.words)));
     }
 
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -22,15 +22,17 @@ import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
-import org.owasp.dependencycheck.utils.Settings;
+
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
+import org.owasp.dependencycheck.utils.XmlUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
 
 /**
  * Class of methods to search Nexus repositories.
@@ -47,7 +49,7 @@ public class NexusSearch {
     /**
      * Whether to use the Proxy when making requests.
      */
-    private boolean useProxy;
+    private final boolean useProxy;
     /**
      * Used for logging.
      */
@@ -56,32 +58,26 @@ public class NexusSearch {
     /**
      * Creates a NexusSearch for the given repository URL.
      *
-     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated relative to this
-     * URL, so it should end with a /
+     * @param rootURL the root URL of the repository on which searches should
+     * execute. full URL's are calculated relative to this URL, so it should end
+     * with a /
+     * @param useProxy flag indicating if the proxy settings should be used
      */
-    public NexusSearch(URL rootURL) {
+    public NexusSearch(URL rootURL, boolean useProxy) {
         this.rootURL = rootURL;
-        try {
-            if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
-                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY)) {
-                useProxy = true;
-                LOGGER.debug("Using proxy");
-            } else {
-                useProxy = false;
-                LOGGER.debug("Not using proxy");
-            }
-        } catch (InvalidSettingException ise) {
-            useProxy = false;
-        }
+        this.useProxy = useProxy;
+        LOGGER.debug("Using proxy: {}", useProxy);
     }
 
     /**
-     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
-     * populated with the coordinate information.
+     * Searches the configured Nexus repository for the given sha1 hash. If the
+     * artifact is found, a <code>MavenArtifact</code> is populated with the
+     * coordinate information.
      *
      * @param sha1 The SHA-1 hash string for which to search
      * @return the populated Maven coordinates
-     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
+     * @throws IOException if it's unable to connect to the specified repository
+     * or if the specified artifact is not found.
      */
     public MavenArtifact searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -106,10 +102,10 @@ public class NexusSearch {
         conn.addRequestProperty("Accept", "application/xml");
         conn.connect();
 
-        if (conn.getResponseCode() == 200) {
+        switch (conn.getResponseCode()) {
+            case 200:
                 try {
-                final DocumentBuilder builder = DocumentBuilderFactory
-                        .newInstance().newDocumentBuilder();
+                    final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
                     final Document doc = builder.parse(conn.getInputStream());
                     final XPath xpath = XPathFactory.newInstance().newXPath();
                     final String groupId = xpath
@@ -139,14 +135,14 @@ public class NexusSearch {
                         ma.setPomUrl(pomLink);
                     }
                     return ma;
-            } catch (Throwable e) {
+                } catch (ParserConfigurationException | IOException | SAXException | XPathExpressionException e) {
                     // Anything else is jacked-up XML stuff that we really can't recover
                     // from well
                     throw new IOException(e.getMessage(), e);
                 }
-        } else if (conn.getResponseCode() == 404) {
+            case 404:
                 throw new FileNotFoundException("Artifact not found in Nexus");
-        } else {
+            default:
                 LOGGER.debug("Could not connect to Nexus received response code: {} {}",
                         conn.getResponseCode(), conn.getResponseMessage());
                 throw new IOException("Could not connect to Nexus");
@@ -156,7 +152,8 @@ public class NexusSearch {
     /**
      * Do a preflight request to see if the repository is actually working.
      *
-     * @return whether the repository is listening and returns the /status URL correctly
+     * @return whether the repository is listening and returns the /status URL
+     * correctly
      */
     public boolean preflightRequest() {
         HttpURLConnection conn;
@@ -169,13 +166,14 @@ public class NexusSearch {
                 LOGGER.warn("Expected 200 result from Nexus, got {}", conn.getResponseCode());
                 return false;
             }
-            final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
+
             final Document doc = builder.parse(conn.getInputStream());
             if (!"status".equals(doc.getDocumentElement().getNodeName())) {
                 LOGGER.warn("Expected root node name of status, got {}", doc.getDocumentElement().getNodeName());
                 return false;
             }
-        } catch (Throwable e) {
+        } catch (IOException | ParserConfigurationException | SAXException e) {
             return false;
         }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetPackage.java

@@ -53,12 +53,6 @@ public class NugetPackage {
      */
     private String licenseUrl;
 
-    /**
-     * Creates an empty NugetPackage.
-     */
-    public NugetPackage() {
-    }
-
     /**
      * Sets the id.
      * @param id the id

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java

@@ -17,13 +17,18 @@
  */
 package org.owasp.dependencycheck.data.nuget;
 
+import java.io.IOException;
 import java.io.InputStream;
-import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
+import org.owasp.dependencycheck.utils.XmlUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
+import org.xml.sax.SAXException;
 
 /**
  * Parse a Nuspec file using XPath.
@@ -36,7 +41,8 @@ public class XPathNuspecParser implements NuspecParser {
      * Gets the string value of a node or null if it's not present
      *
      * @param n the node to test
-     * @return the string content of the node, or null if the node itself is null
+     * @return the string content of the node, or null if the node itself is
+     * null
      */
     private String getOrNull(Node n) {
         if (n != null) {
@@ -56,7 +62,9 @@ public class XPathNuspecParser implements NuspecParser {
     @Override
     public NugetPackage parse(InputStream stream) throws NuspecParseException {
         try {
-            final Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
+            final DocumentBuilder db = XmlUtils.buildSecureDocumentBuilder();
+            final Document d = db.parse(stream);
+
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final NugetPackage nuspec = new NugetPackage();
 
@@ -74,7 +82,7 @@ public class XPathNuspecParser implements NuspecParser {
             nuspec.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE)));
             nuspec.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE)));
             return nuspec;
-        } catch (Throwable e) {
+        } catch (ParserConfigurationException | SAXException | IOException | XPathExpressionException | NuspecParseException e) {
             throw new NuspecParseException("Unable to parse nuspec", e);
         }
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.data.nvdcve;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.sql.CallableStatement;
+import java.sql.PreparedStatement;
 import java.sql.Connection;
 import java.sql.Driver;
 import java.sql.DriverManager;
@@ -36,8 +36,10 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * Loads the configured database driver and returns the database connection. If the embedded H2 database is used obtaining a
- * connection will ensure the database file exists and that the appropriate table structure has been created.
+ * Loads the configured database driver and returns the database connection. If
+ * the embedded H2 database is used obtaining a connection will ensure the
+ * database file exists and that the appropriate table structure has been
+ * created.
  *
  * @author Jeremy Long
  */
@@ -87,12 +89,13 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Initializes the connection factory. Ensuring that the appropriate drivers are loaded and that a connection can be made
-     * successfully.
+     * Initializes the connection factory. Ensuring that the appropriate drivers
+     * are loaded and that a connection can be made successfully.
      *
-     * @throws DatabaseException thrown if we are unable to connect to the database
+     * @throws DatabaseException thrown if we are unable to connect to the
+     * database
      */
-    public static synchronized void initialize() throws DatabaseException {
+    public static void initialize() throws DatabaseException {
         //this only needs to be called once.
         if (connectionString != null) {
             return;
@@ -188,11 +191,12 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Cleans up resources and unloads any registered database drivers. This needs to be called to ensure the driver is
-     * unregistered prior to the finalize method being called as during shutdown the class loader used to load the driver may be
-     * unloaded prior to the driver being de-registered.
+     * Cleans up resources and unloads any registered database drivers. This
+     * needs to be called to ensure the driver is unregistered prior to the
+     * finalize method being called as during shutdown the class loader used to
+     * load the driver may be unloaded prior to the driver being de-registered.
      */
-    public static synchronized void cleanup() {
+    public static void cleanup() {
         if (driver != null) {
             try {
                 DriverManager.deregisterDriver(driver);
@@ -210,10 +214,12 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Constructs a new database connection object per the database configuration.
+     * Constructs a new database connection object per the database
+     * configuration.
      *
      * @return a database connection object
-     * @throws DatabaseException thrown if there is an exception loading the database connection
+     * @throws DatabaseException thrown if there is an exception loading the
+     * database connection
      */
     public static Connection getConnection() throws DatabaseException {
         initialize();
@@ -228,12 +234,14 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Determines if the H2 database file exists. If it does not exist then the data structure will need to be created.
+     * Determines if the H2 database file exists. If it does not exist then the
+     * data structure will need to be created.
      *
      * @return true if the H2 database file does not exist; otherwise false
-     * @throws IOException thrown if the data directory does not exist and cannot be created
+     * @throws IOException thrown if the data directory does not exist and
+     * cannot be created
      */
-    private static boolean h2DataFileExists() throws IOException {
+    public static boolean h2DataFileExists() throws IOException {
         final File dir = Settings.getDataDirectory();
         final String fileName = Settings.getString(Settings.KEYS.DB_FILE_NAME);
         final File file = new File(dir, fileName);
@@ -241,7 +249,26 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Creates the database structure (tables and indexes) to store the CVE data.
+     * Determines if the connection string is for an H2 database.
+     *
+     * @return true if the connection string is for an H2 database
+     */
+    public static boolean isH2Connection() {
+        String connStr;
+        try {
+            connStr = Settings.getConnectionString(
+                    Settings.KEYS.DB_CONNECTION_STRING,
+                    Settings.KEYS.DB_FILE_NAME);
+        } catch (IOException ex) {
+            LOGGER.debug("Unable to get connectionn string", ex);
+            return false;
+        }
+        return connStr.startsWith("jdbc:h2:file:");
+    }
+
+    /**
+     * Creates the database structure (tables and indexes) to store the CVE
+     * data.
      *
      * @param conn the database connection
      * @throws DatabaseException thrown if there is a Database Exception
@@ -271,14 +298,17 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Updates the database schema by loading the upgrade script for the version specified. The intended use is that if the
-     * current schema version is 2.9 then we would call updateSchema(conn, "2.9"). This would load the upgrade_2.9.sql file and
-     * execute it against the database. The upgrade script must update the 'version' in the properties table.
+     * Updates the database schema by loading the upgrade script for the version
+     * specified. The intended use is that if the current schema version is 2.9
+     * then we would call updateSchema(conn, "2.9"). This would load the
+     * upgrade_2.9.sql file and execute it against the database. The upgrade
+     * script must update the 'version' in the properties table.
      *
      * @param conn the database connection object
      * @param appExpectedVersion the schema version that the application expects
      * @param currentDbVersion the current schema version of the database
-     * @throws DatabaseException thrown if there is an exception upgrading the database schema
+     * @throws DatabaseException thrown if there is an exception upgrading the
+     * database schema
      */
     private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
             throws DatabaseException {
@@ -330,7 +360,7 @@ public final class ConnectionFactory {
                 LOGGER.warn("A new version of dependency-check is available; consider upgrading");
                 Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
             } else if (e0 == c0 && e1 == c1) {
-                //do nothing - not sure how we got here, but just incase...
+                //do nothing - not sure how we got here, but just in case...
             } else {
                 LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
                         UPGRADE_HELP_URL);
@@ -340,26 +370,35 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Counter to ensure that calls to ensureSchemaVersion does not end up in an endless loop.
+     * Counter to ensure that calls to ensureSchemaVersion does not end up in an
+     * endless loop.
      */
     private static int callDepth = 0;
 
     /**
-     * Uses the provided connection to check the specified schema version within the database.
+     * Uses the provided connection to check the specified schema version within
+     * the database.
      *
      * @param conn the database connection object
-     * @throws DatabaseException thrown if the schema version is not compatible with this version of dependency-check
+     * @throws DatabaseException thrown if the schema version is not compatible
+     * with this version of dependency-check
      */
     private static void ensureSchemaVersion(Connection conn) throws DatabaseException {
         ResultSet rs = null;
-        CallableStatement cs = null;
+        PreparedStatement ps = null;
         try {
             //TODO convert this to use DatabaseProperties
-            cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
-            rs = cs.executeQuery();
+            ps = conn.prepareStatement("SELECT value FROM properties WHERE id = 'version'");
+            rs = ps.executeQuery();
             if (rs.next()) {
                 final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
+                if (appDbVersion == null) {
+                    throw new DatabaseException("Invalid application database schema");
+                }
                 final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
+                if (db == null) {
+                    throw new DatabaseException("Invalid database schema");
+                }
                 if (appDbVersion.compareTo(db) > 0) {
                     LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
                     LOGGER.debug("DB Schema: {}", rs.getString(1));
@@ -376,7 +415,7 @@ public final class ConnectionFactory {
             throw new DatabaseException("Unable to check the database schema version");
         } finally {
             DBUtils.closeResultSet(rs);
-            DBUtils.closeStatement(cs);
+            DBUtils.closeStatement(ps);
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -19,13 +19,12 @@ package org.owasp.dependencycheck.data.nvdcve;
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.sql.CallableStatement;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-import java.sql.Statement;
 import java.util.ArrayList;
+import java.util.EnumMap;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -36,6 +35,7 @@ import java.util.MissingResourceException;
 import java.util.Properties;
 import java.util.ResourceBundle;
 import java.util.Set;
+import javax.annotation.concurrent.ThreadSafe;
 import org.owasp.dependencycheck.data.cwe.CweDB;
 import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -48,13 +48,27 @@ import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static org.owasp.dependencycheck.data.nvdcve.CveDB.PreparedStatementCveDb.*;
+
 /**
- * The database holding information about the NVD CVE data.
+ * The database holding information about the NVD CVE data. This class is safe
+ * to be accessed from multiple threads in parallel, however internally only one
+ * connection will be used.
  *
  * @author Jeremy Long
  */
-public class CveDB {
+@ThreadSafe
+public final class CveDB implements AutoCloseable {
 
+    /**
+     * Singleton instance of the CveDB.
+     */
+    private static CveDB instance = null;
+    /**
+     * Track the number of current users of the CveDB; so that if someone is
+     * using database another user cannot close the connection on them.
+     */
+    private int usageCount = 0;
     /**
      * The logger.
      */
@@ -62,19 +76,132 @@ public class CveDB {
     /**
      * Database connection
      */
-    private Connection conn;
+    private Connection connection;
     /**
      * The bundle of statements used when accessing the database.
      */
-    private ResourceBundle statementBundle = null;
+    private ResourceBundle statementBundle;
+    /**
+     * Database properties object containing the 'properties' from the database
+     * table.
+     */
+    private DatabaseProperties databaseProperties;
+    /**
+     * The prepared statements.
+     */
+    private final EnumMap<PreparedStatementCveDb, PreparedStatement> preparedStatements = new EnumMap<>(PreparedStatementCveDb.class);
 
     /**
-     * Creates a new CveDB object and opens the database
-     * connection. Note, the connection must be closed by the caller by calling
-     * the close method. ======= Does the underlying connection support batch
-     * operations?
+     * The enum value names must match the keys of the statements in the
+     * statement bundles "dbStatements*.properties".
      */
-    private boolean batchSupported;
+    enum PreparedStatementCveDb {
+        /**
+         * Key for SQL Statement.
+         */
+        CLEANUP_ORPHANS,
+        /**
+         * Key for SQL Statement.
+         */
+        COUNT_CPE,
+        /**
+         * Key for SQL Statement.
+         */
+        DELETE_REFERENCE,
+        /**
+         * Key for SQL Statement.
+         */
+        DELETE_SOFTWARE,
+        /**
+         * Key for SQL Statement.
+         */
+        DELETE_VULNERABILITY,
+        /**
+         * Key for SQL Statement.
+         */
+        INSERT_CPE,
+        /**
+         * Key for SQL Statement.
+         */
+        INSERT_PROPERTY,
+        /**
+         * Key for SQL Statement.
+         */
+        INSERT_REFERENCE,
+        /**
+         * Key for SQL Statement.
+         */
+        INSERT_SOFTWARE,
+        /**
+         * Key for SQL Statement.
+         */
+        INSERT_VULNERABILITY,
+        /**
+         * Key for SQL Statement.
+         */
+        MERGE_PROPERTY,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_CPE_ENTRIES,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_CPE_ID,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_CVE_FROM_SOFTWARE,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_PROPERTIES,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_REFERENCES,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_SOFTWARE,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_VENDOR_PRODUCT_LIST,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_VULNERABILITY,
+        /**
+         * Key for SQL Statement.
+         */
+        SELECT_VULNERABILITY_ID,
+        /**
+         * Key for SQL Statement.
+         */
+        UPDATE_PROPERTY,
+        /**
+         * Key for SQL Statement.
+         */
+        UPDATE_VULNERABILITY
+    }
+
+    /**
+     * Gets the CveDB singleton object.
+     *
+     * @return the CveDB singleton
+     * @throws DatabaseException thrown if there is a database error
+     */
+    public static synchronized CveDB getInstance() throws DatabaseException {
+        if (instance == null) {
+            instance = new CveDB();
+        }
+        if (!instance.isOpen()) {
+            instance.open();
+        }
+        instance.usageCount += 1;
+        return instance;
+    }
 
     /**
      * Creates a new CveDB object and opens the database connection. Note, the
@@ -83,33 +210,24 @@ public class CveDB {
      * @throws DatabaseException thrown if there is an exception opening the
      * database.
      */
-    public CveDB() throws DatabaseException {
-        super();
-        try {
-            open();
-            try {
-                final String databaseProductName = conn.getMetaData().getDatabaseProductName();
-                batchSupported = conn.getMetaData().supportsBatchUpdates();
-                LOGGER.debug("Database dialect: {}", databaseProductName);
-                final Locale dbDialect = new Locale(databaseProductName);
-                statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect);
-            } catch (SQLException se) {
-                LOGGER.warn("Problem loading database specific dialect!", se);
-                statementBundle = ResourceBundle.getBundle("data/dbStatements");
-            }
-            databaseProperties = new DatabaseProperties(this);
-        } catch (DatabaseException ex) {
-            throw ex;
-        }
+    private CveDB() throws DatabaseException {
     }
 
     /**
-     * Returns the database connection.
+     * Tries to determine the product name of the database.
      *
-     * @return the database connection
+     * @param conn the database connection
+     * @return the product name of the database if successful, {@code null} else
      */
-    protected Connection getConnection() {
-        return conn;
+    private static String determineDatabaseProductName(Connection conn) {
+        try {
+            final String databaseProductName = conn.getMetaData().getDatabaseProductName();
+            LOGGER.debug("Database product: {}", databaseProductName);
+            return databaseProductName;
+        } catch (SQLException se) {
+            LOGGER.warn("Problem determining database product!", se);
+            return null;
+        }
     }
 
     /**
@@ -119,20 +237,31 @@ public class CveDB {
      * @throws DatabaseException thrown if there is an error opening the
      * database connection
      */
-    public final void open() throws DatabaseException {
-        if (!isOpen()) {
-            conn = ConnectionFactory.getConnection();
+    private synchronized void open() throws DatabaseException {
+        if (!instance.isOpen()) {
+            instance.connection = ConnectionFactory.getConnection();
+            final String databaseProductName = determineDatabaseProductName(instance.connection);
+            instance.statementBundle = databaseProductName != null
+                    ? ResourceBundle.getBundle("data/dbStatements", new Locale(databaseProductName))
+                    : ResourceBundle.getBundle("data/dbStatements");
+            instance.prepareStatements();
+            instance.databaseProperties = new DatabaseProperties(instance);
         }
     }
 
     /**
-     * Closes the DB4O database. Close should be called on this object when it
-     * is done being used.
+     * Closes the database connection. Close should be called on this object
+     * when it is done being used.
      */
-    public void close() {
-        if (conn != null) {
+    @Override
+    public synchronized void close() {
+        if (instance != null) {
+            instance.usageCount -= 1;
+            if (instance.usageCount <= 0 && instance.isOpen()) {
+                instance.usageCount = 0;
+                instance.closeStatements();
                 try {
-                conn.close();
+                    instance.connection.close();
                 } catch (SQLException ex) {
                     LOGGER.error("There was an error attempting to close the CveDB, see the log for more details.");
                     LOGGER.debug("", ex);
@@ -140,7 +269,11 @@ public class CveDB {
                     LOGGER.error("There was an exception attempting to close the CveDB, see the log for more details.");
                     LOGGER.debug("", ex);
                 }
-            conn = null;
+                instance.statementBundle = null;
+                instance.preparedStatements.clear();
+                instance.databaseProperties = null;
+                instance.connection = null;
+            }
         }
     }
 
@@ -149,8 +282,54 @@ public class CveDB {
      *
      * @return whether the database connection is open or closed
      */
-    public boolean isOpen() {
-        return conn != null;
+    protected synchronized boolean isOpen() {
+        return connection != null;
+    }
+
+    /**
+     * Prepares all statements to be used.
+     *
+     * @throws DatabaseException thrown if there is an error preparing the
+     * statements
+     */
+    private void prepareStatements() throws DatabaseException {
+        for (PreparedStatementCveDb key : values()) {
+            final String statementString = statementBundle.getString(key.name());
+            final PreparedStatement preparedStatement;
+            try {
+                if (key == INSERT_VULNERABILITY || key == INSERT_CPE) {
+                    preparedStatement = connection.prepareStatement(statementString, new String[]{"id"});
+                } else {
+                    preparedStatement = connection.prepareStatement(statementString);
+                }
+            } catch (SQLException exception) {
+                throw new DatabaseException(exception);
+            }
+            preparedStatements.put(key, preparedStatement);
+        }
+    }
+
+    /**
+     * Closes all prepared statements.
+     */
+    private synchronized void closeStatements() {
+        for (PreparedStatement preparedStatement : preparedStatements.values()) {
+            DBUtils.closeStatement(preparedStatement);
+        }
+    }
+
+    /**
+     * Returns the specified prepared statement.
+     *
+     * @param key the prepared statement from {@link PreparedStatementCveDb} to
+     * return
+     * @return the prepared statement
+     * @throws SQLException thrown if a SQL Exception occurs
+     */
+    private synchronized PreparedStatement getPreparedStatement(PreparedStatementCveDb key) throws SQLException {
+        final PreparedStatement preparedStatement = preparedStatements.get(key);
+        preparedStatement.clearParameters();
+        return preparedStatement;
     }
 
     /**
@@ -158,10 +337,10 @@ public class CveDB {
      *
      * @throws SQLException thrown if a SQL Exception occurs
      */
-    public void commit() throws SQLException {
+    public synchronized void commit() throws SQLException {
         //temporary remove this as autocommit is on.
-        //if (conn != null) {
-        //    conn.commit();
+        //if (isOpen()) {
+        //    connection.commit();
         //}
     }
 
@@ -177,18 +356,23 @@ public class CveDB {
         close();
         super.finalize();
     }
-    /**
-     * Database properties object containing the 'properties' from the database
-     * table.
-     */
-    private DatabaseProperties databaseProperties;
 
     /**
      * Get the value of databaseProperties.
      *
      * @return the value of databaseProperties
      */
-    public DatabaseProperties getDatabaseProperties() {
+    public synchronized DatabaseProperties getDatabaseProperties() {
+        return databaseProperties;
+    }
+
+    /**
+     * Used within the unit tests to reload the database properties.
+     *
+     * @return the database properties
+     */
+    protected synchronized DatabaseProperties reloadProperties() {
+        databaseProperties = new DatabaseProperties(this);
         return databaseProperties;
     }
 
@@ -202,12 +386,11 @@ public class CveDB {
      * analyzed
      * @return a set of vulnerable software
      */
-    public Set<VulnerableSoftware> getCPEs(String vendor, String product) {
-        final Set<VulnerableSoftware> cpe = new HashSet<VulnerableSoftware>();
+    public synchronized Set<VulnerableSoftware> getCPEs(String vendor, String product) {
+        final Set<VulnerableSoftware> cpe = new HashSet<>();
         ResultSet rs = null;
-        PreparedStatement ps = null;
         try {
-            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CPE_ENTRIES"));
+            final PreparedStatement ps = getPreparedStatement(SELECT_CPE_ENTRIES);
             ps.setString(1, vendor);
             ps.setString(2, product);
             rs = ps.executeQuery();
@@ -222,7 +405,6 @@ public class CveDB {
             LOGGER.debug("", ex);
         } finally {
             DBUtils.closeResultSet(rs);
-            DBUtils.closeStatement(ps);
         }
         return cpe;
     }
@@ -234,22 +416,20 @@ public class CveDB {
      * @throws DatabaseException thrown when there is an error retrieving the
      * data from the DB
      */
-    public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
-        final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
+    public synchronized Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
+        final Set<Pair<String, String>> data = new HashSet<>();
         ResultSet rs = null;
-        PreparedStatement ps = null;
         try {
-            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_VENDOR_PRODUCT_LIST"));
+            final PreparedStatement ps = getPreparedStatement(SELECT_VENDOR_PRODUCT_LIST);
             rs = ps.executeQuery();
             while (rs.next()) {
-                data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
+                data.add(new Pair<>(rs.getString(1), rs.getString(2)));
             }
         } catch (SQLException ex) {
             final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
             throw new DatabaseException(msg, ex);
         } finally {
             DBUtils.closeResultSet(rs);
-            DBUtils.closeStatement(ps);
         }
         return data;
     }
@@ -259,12 +439,11 @@ public class CveDB {
      *
      * @return the properties from the database
      */
-    Properties getProperties() {
+    public synchronized Properties getProperties() {
         final Properties prop = new Properties();
-        PreparedStatement ps = null;
         ResultSet rs = null;
         try {
-            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_PROPERTIES"));
+            final PreparedStatement ps = getPreparedStatement(SELECT_PROPERTIES);
             rs = ps.executeQuery();
             while (rs.next()) {
                 prop.setProperty(rs.getString(1), rs.getString(2));
@@ -273,7 +452,6 @@ public class CveDB {
             LOGGER.error("An unexpected SQL Exception occurred; please see the verbose log for more details.");
             LOGGER.debug("", ex);
         } finally {
-            DBUtils.closeStatement(ps);
             DBUtils.closeResultSet(rs);
         }
         return prop;
@@ -285,35 +463,24 @@ public class CveDB {
      * @param key the property key
      * @param value the property value
      */
-    void saveProperty(String key, String value) {
+    public synchronized void saveProperty(String key, String value) {
         try {
             try {
-                final PreparedStatement mergeProperty = getConnection().prepareStatement(statementBundle.getString("MERGE_PROPERTY"));
-                try {
+                final PreparedStatement mergeProperty = getPreparedStatement(MERGE_PROPERTY);
                 mergeProperty.setString(1, key);
                 mergeProperty.setString(2, value);
                 mergeProperty.executeUpdate();
-                } finally {
-                    DBUtils.closeStatement(mergeProperty);
-                }
             } catch (MissingResourceException mre) {
                 // No Merge statement, so doing an Update/Insert...
-                PreparedStatement updateProperty = null;
-                PreparedStatement insertProperty = null;
-                try {
-                    updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
+                final PreparedStatement updateProperty = getPreparedStatement(UPDATE_PROPERTY);
                 updateProperty.setString(1, value);
                 updateProperty.setString(2, key);
                 if (updateProperty.executeUpdate() == 0) {
-                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
+                    final PreparedStatement insertProperty = getPreparedStatement(INSERT_PROPERTY);
                     insertProperty.setString(1, key);
                     insertProperty.setString(2, value);
                     insertProperty.executeUpdate();
                 }
-                } finally {
-                    DBUtils.closeStatement(updateProperty);
-                    DBUtils.closeStatement(insertProperty);
-                }
             }
         } catch (SQLException ex) {
             LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
@@ -328,7 +495,7 @@ public class CveDB {
      * @return a list of Vulnerabilities
      * @throws DatabaseException thrown if there is an exception retrieving data
      */
-    public List<Vulnerability> getVulnerabilities(String cpeStr) throws DatabaseException {
+    public synchronized List<Vulnerability> getVulnerabilities(String cpeStr) throws DatabaseException {
         final VulnerableSoftware cpe = new VulnerableSoftware();
         try {
             cpe.parseName(cpeStr);
@@ -336,18 +503,17 @@ public class CveDB {
             LOGGER.trace("", ex);
         }
         final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
-        final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
+        final List<Vulnerability> vulnerabilities = new ArrayList<>();
 
-        PreparedStatement ps = null;
         ResultSet rs = null;
         try {
-            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CVE_FROM_SOFTWARE"));
+            final PreparedStatement ps = getPreparedStatement(SELECT_CVE_FROM_SOFTWARE);
             ps.setString(1, cpe.getVendor());
             ps.setString(2, cpe.getProduct());
             rs = ps.executeQuery();
             String currentCVE = "";
 
-            final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
+            final Map<String, Boolean> vulnSoftware = new HashMap<>();
             while (rs.next()) {
                 final String cveId = rs.getString(1);
                 if (!currentCVE.equals(cveId)) { //check for match and add
@@ -377,7 +543,6 @@ public class CveDB {
             throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
         } finally {
             DBUtils.closeResultSet(rs);
-            DBUtils.closeStatement(ps);
         }
         return vulnerabilities;
     }
@@ -389,17 +554,14 @@ public class CveDB {
      * @return a vulnerability object
      * @throws DatabaseException if an exception occurs
      */
-    public Vulnerability getVulnerability(String cve) throws DatabaseException {
-        PreparedStatement psV = null;
-        PreparedStatement psR = null;
-        PreparedStatement psS = null;
+    public synchronized Vulnerability getVulnerability(String cve) throws DatabaseException {
         ResultSet rsV = null;
         ResultSet rsR = null;
         ResultSet rsS = null;
         Vulnerability vuln = null;
 
         try {
-            psV = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY"));
+            final PreparedStatement psV = getPreparedStatement(SELECT_VULNERABILITY);
             psV.setString(1, cve);
             rsV = psV.executeQuery();
             if (rsV.next()) {
@@ -423,13 +585,14 @@ public class CveDB {
                 vuln.setCvssIntegrityImpact(rsV.getString(9));
                 vuln.setCvssAvailabilityImpact(rsV.getString(10));
 
-                psR = getConnection().prepareStatement(statementBundle.getString("SELECT_REFERENCES"));
+                final PreparedStatement psR = getPreparedStatement(SELECT_REFERENCES);
                 psR.setInt(1, cveId);
                 rsR = psR.executeQuery();
                 while (rsR.next()) {
                     vuln.addReference(rsR.getString(1), rsR.getString(2), rsR.getString(3));
                 }
-                psS = getConnection().prepareStatement(statementBundle.getString("SELECT_SOFTWARE"));
+
+                final PreparedStatement psS = getPreparedStatement(SELECT_SOFTWARE);
                 psS.setInt(1, cveId);
                 rsS = psS.executeQuery();
                 while (rsS.next()) {
@@ -448,9 +611,6 @@ public class CveDB {
             DBUtils.closeResultSet(rsV);
             DBUtils.closeResultSet(rsR);
             DBUtils.closeResultSet(rsS);
-            DBUtils.closeStatement(psV);
-            DBUtils.closeStatement(psR);
-            DBUtils.closeStatement(psS);
         }
         return vuln;
     }
@@ -462,53 +622,32 @@ public class CveDB {
      * @param vuln the vulnerability to add to the database
      * @throws DatabaseException is thrown if the database
      */
-    public void updateVulnerability(Vulnerability vuln) throws DatabaseException {
-        PreparedStatement selectVulnerabilityId = null;
-        PreparedStatement deleteVulnerability = null;
-        PreparedStatement deleteReferences = null;
-        PreparedStatement deleteSoftware = null;
-        PreparedStatement updateVulnerability = null;
-        PreparedStatement insertVulnerability = null;
-        PreparedStatement insertReference = null;
-        PreparedStatement selectCpeId = null;
-        PreparedStatement insertCpe = null;
-        PreparedStatement insertSoftware = null;
-
+    public synchronized void updateVulnerability(Vulnerability vuln) throws DatabaseException {
         try {
-            selectVulnerabilityId = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY_ID"));
-            deleteVulnerability = getConnection().prepareStatement(statementBundle.getString("DELETE_VULNERABILITY"));
-            deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE"));
-            deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE"));
-            updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY"));
-            final String[] ids = {"id"};
-            insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"),
-                    //Statement.RETURN_GENERATED_KEYS);
-                    ids);
-            insertReference = getConnection().prepareStatement(statementBundle.getString("INSERT_REFERENCE"));
-            selectCpeId = getConnection().prepareStatement(statementBundle.getString("SELECT_CPE_ID"));
-            insertCpe = getConnection().prepareStatement(statementBundle.getString("INSERT_CPE"),
-                    //Statement.RETURN_GENERATED_KEYS);
-                    ids);
-            insertSoftware = getConnection().prepareStatement(statementBundle.getString("INSERT_SOFTWARE"));
             int vulnerabilityId = 0;
+            final PreparedStatement selectVulnerabilityId = getPreparedStatement(SELECT_VULNERABILITY_ID);
             selectVulnerabilityId.setString(1, vuln.getName());
             ResultSet rs = selectVulnerabilityId.executeQuery();
             if (rs.next()) {
                 vulnerabilityId = rs.getInt(1);
                 // first delete any existing vulnerability info. We don't know what was updated. yes, slower but atm easier.
-                deleteReferences.setInt(1, vulnerabilityId);
-                deleteReferences.execute();
+                final PreparedStatement deleteReference = getPreparedStatement(DELETE_REFERENCE);
+                deleteReference.setInt(1, vulnerabilityId);
+                deleteReference.execute();
+
+                final PreparedStatement deleteSoftware = getPreparedStatement(DELETE_SOFTWARE);
                 deleteSoftware.setInt(1, vulnerabilityId);
                 deleteSoftware.execute();
             }
             DBUtils.closeResultSet(rs);
-            rs = null;
 
             if (vulnerabilityId != 0) {
                 if (vuln.getDescription().contains("** REJECT **")) {
+                    final PreparedStatement deleteVulnerability = getPreparedStatement(DELETE_VULNERABILITY);
                     deleteVulnerability.setInt(1, vulnerabilityId);
                     deleteVulnerability.executeUpdate();
                 } else {
+                    final PreparedStatement updateVulnerability = getPreparedStatement(UPDATE_VULNERABILITY);
                     updateVulnerability.setString(1, vuln.getDescription());
                     updateVulnerability.setString(2, vuln.getCwe());
                     updateVulnerability.setFloat(3, vuln.getCvssScore());
@@ -522,6 +661,7 @@ public class CveDB {
                     updateVulnerability.executeUpdate();
                 }
             } else {
+                final PreparedStatement insertVulnerability = getPreparedStatement(INSERT_VULNERABILITY);
                 insertVulnerability.setString(1, vuln.getName());
                 insertVulnerability.setString(2, vuln.getDescription());
                 insertVulnerability.setString(3, vuln.getCwe());
@@ -542,29 +682,22 @@ public class CveDB {
                     throw new DatabaseException(msg, ex);
                 } finally {
                     DBUtils.closeResultSet(rs);
-                    rs = null;
                 }
             }
 
+            final PreparedStatement insertReference = getPreparedStatement(INSERT_REFERENCE);
             for (Reference r : vuln.getReferences()) {
                 insertReference.setInt(1, vulnerabilityId);
                 insertReference.setString(2, r.getName());
                 insertReference.setString(3, r.getUrl());
                 insertReference.setString(4, r.getSource());
-
-                if (batchSupported) {
-                    insertReference.addBatch();
-                } else {
                 insertReference.execute();
             }
-            }
-
-            if (batchSupported) {
-                insertReference.executeBatch();
-            }
 
+            final PreparedStatement insertSoftware = getPreparedStatement(INSERT_SOFTWARE);
             for (VulnerableSoftware s : vuln.getVulnerableSoftware()) {
                 int cpeProductId = 0;
+                final PreparedStatement selectCpeId = getPreparedStatement(SELECT_CPE_ID);
                 selectCpeId.setString(1, s.getName());
                 try {
                     rs = selectCpeId.executeQuery();
@@ -575,10 +708,10 @@ public class CveDB {
                     throw new DatabaseException("Unable to get primary key for new cpe: " + s.getName(), ex);
                 } finally {
                     DBUtils.closeResultSet(rs);
-                    rs = null;
                 }
 
                 if (cpeProductId == 0) {
+                    final PreparedStatement insertCpe = getPreparedStatement(INSERT_CPE);
                     insertCpe.setString(1, s.getName());
                     insertCpe.setString(2, s.getVendor());
                     insertCpe.setString(3, s.getProduct());
@@ -597,39 +730,22 @@ public class CveDB {
                 } else {
                     insertSoftware.setString(3, s.getPreviousVersion());
                 }
-                if (batchSupported) {
-                    insertSoftware.addBatch();
-                } else {
                 try {
                     insertSoftware.execute();
                 } catch (SQLException ex) {
                     if (ex.getMessage().contains("Duplicate entry")) {
                         final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName());
-                            LOGGER.debug(msg, ex);
+                        LOGGER.info(msg, ex);
                     } else {
                         throw ex;
                     }
                 }
-                }
-            }
-            if (batchSupported) {
-                insertSoftware.executeBatch();
+
             }
         } catch (SQLException ex) {
             final String msg = String.format("Error updating '%s'", vuln.getName());
             LOGGER.debug(msg, ex);
             throw new DatabaseException(msg, ex);
-        } finally {
-            DBUtils.closeStatement(selectVulnerabilityId);
-            DBUtils.closeStatement(deleteReferences);
-            DBUtils.closeStatement(deleteSoftware);
-            DBUtils.closeStatement(updateVulnerability);
-            DBUtils.closeStatement(deleteVulnerability);
-            DBUtils.closeStatement(insertVulnerability);
-            DBUtils.closeStatement(insertReference);
-            DBUtils.closeStatement(selectCpeId);
-            DBUtils.closeStatement(insertCpe);
-            DBUtils.closeStatement(insertSoftware);
         }
     }
 
@@ -638,18 +754,17 @@ public class CveDB {
      *
      * @return <code>true</code> if data exists; otherwise <code>false</code>
      */
-    public boolean dataExists() {
-        Statement cs = null;
+    public synchronized boolean dataExists() {
         ResultSet rs = null;
         try {
-            cs = conn.createStatement();
-            rs = cs.executeQuery("SELECT COUNT(*) records FROM cpeEntry");
+            final PreparedStatement cs = getPreparedStatement(COUNT_CPE);
+            rs = cs.executeQuery();
             if (rs.next()) {
                 if (rs.getInt(1) > 0) {
                     return true;
                 }
             }
-        } catch (SQLException ex) {
+        } catch (Exception ex) {
             String dd;
             try {
                 dd = Settings.getDataDirectory().getAbsolutePath();
@@ -660,11 +775,10 @@ public class CveDB {
                     + "If the problem persist try deleting the files in '{}' and running {} again. If the problem continues, please "
                     + "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at "
                     + "https://github.com/jeremylong/DependencyCheck/issues and include the log file.\n\n",
-                    dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME));
+                    dd, dd, Settings.getString(Settings.KEYS.APPLICATION_NAME));
             LOGGER.debug("", ex);
         } finally {
             DBUtils.closeResultSet(rs);
-            DBUtils.closeStatement(cs);
         }
         return false;
     }
@@ -674,18 +788,15 @@ public class CveDB {
      * updates. This should be called after all updates have been completed to
      * ensure orphan entries are removed.
      */
-    public void cleanupDatabase() {
-        PreparedStatement ps = null;
+    public synchronized void cleanupDatabase() {
         try {
-            ps = getConnection().prepareStatement(statementBundle.getString("CLEANUP_ORPHANS"));
+            final PreparedStatement ps = getPreparedStatement(CLEANUP_ORPHANS);
             if (ps != null) {
                 ps.executeUpdate();
             }
         } catch (SQLException ex) {
             LOGGER.error("An unexpected SQL Exception occurred; please see the verbose log for more details.");
             LOGGER.debug("", ex);
-        } finally {
-            DBUtils.closeStatement(ps);
         }
     }
 
@@ -703,12 +814,12 @@ public class CveDB {
      * analyzed
      * @return true if the identified version is affected, otherwise false
      */
-    Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
+    protected Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
             DependencyVersion identifiedVersion) {
 
         final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
 
-        final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
+        final Set<String> majorVersionsAffectingAllPrevious = new HashSet<>();
         final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
         String majorVersionMatch = null;
         for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
@@ -737,12 +848,12 @@ public class CveDB {
             if (!entry.getValue()) {
                 final DependencyVersion v = parseDependencyVersion(entry.getKey());
                 //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
-                if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
+                if (canSkipVersions && majorVersionMatch != null && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
                     continue;
                 }
                 //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
                 //in the above loop or just after loop (if matchesAnyPrevious return null).
-                if (identifiedVersion.equals(v)) {
+                if (identifiedVersion != null && identifiedVersion.equals(v)) {
                     return entry;
                 }
             }
@@ -751,12 +862,12 @@ public class CveDB {
             if (entry.getValue()) {
                 final DependencyVersion v = parseDependencyVersion(entry.getKey());
                 //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
-                if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
+                if (canSkipVersions && majorVersionMatch != null && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
                     continue;
                 }
                 //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
                 //in the above loop or just after loop (if matchesAnyPrevious return null).
-                if (entry.getValue() && identifiedVersion.compareTo(v) <= 0) {
+                if (entry.getValue() && identifiedVersion != null && identifiedVersion.compareTo(v) <= 0) {
                     if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
                         return entry;
                     }
@@ -812,15 +923,15 @@ public class CveDB {
      *
      * Deletes unused dictionary entries from the database.
      */
-    public void deleteUnusedCpe() {
-        CallableStatement cs = null;
+    public synchronized void deleteUnusedCpe() {
+        PreparedStatement ps = null;
         try {
-            cs = getConnection().prepareCall(statementBundle.getString("DELETE_UNUSED_DICT_CPE"));
-            cs.executeUpdate();
+            ps = connection.prepareStatement(statementBundle.getString("DELETE_UNUSED_DICT_CPE"));
+            ps.executeUpdate();
         } catch (SQLException ex) {
             LOGGER.error("Unable to delete CPE dictionary entries", ex);
         } finally {
-            DBUtils.closeStatement(cs);
+            DBUtils.closeStatement(ps);
         }
     }
 
@@ -834,10 +945,10 @@ public class CveDB {
      * @param vendor the CPE vendor
      * @param product the CPE product
      */
-    public void addCpe(String cpe, String vendor, String product) {
+    public synchronized void addCpe(String cpe, String vendor, String product) {
         PreparedStatement ps = null;
         try {
-            ps = getConnection().prepareCall(statementBundle.getString("ADD_DICT_CPE"));
+            ps = connection.prepareStatement(statementBundle.getString("ADD_DICT_CPE"));
             ps.setString(1, cpe);
             ps.setString(2, vendor);
             ps.setString(3, product);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -17,13 +17,14 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
-import java.text.DateFormat;
-import java.text.SimpleDateFormat;
-import java.util.Date;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.TreeMap;
+import javax.annotation.concurrent.ThreadSafe;
+import org.joda.time.DateTime;
+import org.joda.time.format.DateTimeFormat;
+import org.joda.time.format.DateTimeFormatter;
 import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.slf4j.Logger;
@@ -31,9 +32,11 @@ import org.slf4j.LoggerFactory;
 
 /**
  * This is a wrapper around a set of properties that are stored in the database.
+ * This class is safe to be accessed from multiple threads in parallel.
  *
  * @author Jeremy Long
  */
+@ThreadSafe
 public class DatabaseProperties {
 
     /**
@@ -41,21 +44,24 @@ public class DatabaseProperties {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(DatabaseProperties.class);
     /**
-     * Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8 days of
-     * updates)..
+     * Modified key word, used as a key to store information about the modified
+     * file (i.e. the containing the last 8 days of updates)..
      */
     public static final String MODIFIED = "Modified";
     /**
-     * The properties file key for the last checked field - used to store the last check time of the Modified NVD CVE xml file.
+     * The properties file key for the last checked field - used to store the
+     * last check time of the Modified NVD CVE xml file.
      */
     public static final String LAST_CHECKED = "NVD CVE Checked";
     /**
-     * The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE xml file.
+     * The properties file key for the last updated field - used to store the
+     * last updated time of the Modified NVD CVE xml file.
      */
     public static final String LAST_UPDATED = "NVD CVE Modified";
     /**
-     * Stores the last updated time for each of the NVD CVE files. These timestamps should be updated if we process the modified
-     * file within 7 days of the last update.
+     * Stores the last updated time for each of the NVD CVE files. These
+     * timestamps should be updated if we process the modified file within 7
+     * days of the last update.
      */
     public static final String LAST_UPDATED_BASE = "NVD CVE ";
     /**
@@ -121,7 +127,8 @@ public class DatabaseProperties {
     }
 
     /**
-     * Returns the property value for the given key. If the key is not contained in the underlying properties null is returned.
+     * Returns the property value for the given key. If the key is not contained
+     * in the underlying properties null is returned.
      *
      * @param key the property key
      * @return the value of the property
@@ -131,8 +138,8 @@ public class DatabaseProperties {
     }
 
     /**
-     * Returns the property value for the given key. If the key is not contained in the underlying properties the default value is
-     * returned.
+     * Returns the property value for the given key. If the key is not contained
+     * in the underlying properties the default value is returned.
      *
      * @param key the property key
      * @param defaultValue the default value
@@ -152,22 +159,26 @@ public class DatabaseProperties {
     }
 
     /**
-     * Returns a map of the meta data from the database properties. This primarily contains timestamps of when the NVD CVE
-     * information was last updated.
+     * Returns a map of the meta data from the database properties. This
+     * primarily contains timestamps of when the NVD CVE information was last
+     * updated.
      *
      * @return a map of the database meta data
      */
     public Map<String, String> getMetaData() {
-        final Map<String, String> map = new TreeMap<String, String>();
+        final Map<String, String> map = new TreeMap<>();
         for (Entry<Object, Object> entry : properties.entrySet()) {
             final String key = (String) entry.getKey();
             if (!"version".equals(key)) {
                 if (key.startsWith("NVD CVE ")) {
                     try {
                         final long epoch = Long.parseLong((String) entry.getValue());
-                        final Date date = new Date(epoch);
-                        final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
-                        final String formatted = format.format(date);
+                        final DateTime date = new DateTime(epoch);
+                        final DateTimeFormatter format = DateTimeFormat.forPattern("dd/MM/yyyy HH:mm:ss");
+                        final String formatted = format.print(date);
+//                        final Date date = new Date(epoch);
+//                        final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
+//                        final String formatted = format.format(date);
                         map.put(key, formatted);
                     } catch (Throwable ex) { //deliberately being broad in this catch clause
                         LOGGER.debug("Unable to parse timestamp from DB", ex);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -75,7 +75,7 @@ public final class DriverLoader {
      */
     public static Driver load(String className, String pathToDriver) throws DriverLoadException {
         final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
-        final List<URL> urls = new ArrayList<URL>();
+        final List<URL> urls = new ArrayList<>();
         final String[] paths = pathToDriver.split(File.pathSeparator);
         for (String path : paths) {
             final File file = new File(path);
@@ -129,19 +129,7 @@ public final class DriverLoader {
             //using the DriverShim to get around the fact that the DriverManager won't register a driver not in the base class path
             DriverManager.registerDriver(shim);
             return shim;
-        } catch (ClassNotFoundException ex) {
-            final String msg = String.format("Unable to load database driver '%s'", className);
-            LOGGER.debug(msg, ex);
-            throw new DriverLoadException(msg, ex);
-        } catch (InstantiationException ex) {
-            final String msg = String.format("Unable to load database driver '%s'", className);
-            LOGGER.debug(msg, ex);
-            throw new DriverLoadException(msg, ex);
-        } catch (IllegalAccessException ex) {
-            final String msg = String.format("Unable to load database driver '%s'", className);
-            LOGGER.debug(msg, ex);
-            throw new DriverLoadException(msg, ex);
-        } catch (SQLException ex) {
+        } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | SQLException ex) {
             final String msg = String.format("Unable to load database driver '%s'", className);
             LOGGER.debug(msg, ex);
             throw new DriverLoadException(msg, ex);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java

@@ -115,7 +115,6 @@ class DriverShim implements Driver {
      * @throws SQLFeatureNotSupportedException thrown if the feature is not supported
      * @see java.sql.Driver#getParentLogger()
      */
-    @Override
     public java.util.logging.Logger getParentLogger() throws SQLFeatureNotSupportedException {
         //return driver.getParentLogger();
         Method m = null;
@@ -127,11 +126,7 @@ class DriverShim implements Driver {
         if (m != null) {
             try {
                 return (java.util.logging.Logger) m.invoke(m);
-            } catch (IllegalAccessException ex) {
-                LOGGER.trace("", ex);
-            } catch (IllegalArgumentException ex) {
-                LOGGER.trace("", ex);
-            } catch (InvocationTargetException ex) {
+            } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
                 LOGGER.trace("", ex);
             }
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/BaseUpdater.java

@@ -1,88 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.update;
-
-import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- *
- * @author Jeremy Long
- */
-public abstract class BaseUpdater {
-
-    /**
-     * Static logger.
-     */
-    private static final Logger LOGGER = LoggerFactory.getLogger(BaseUpdater.class);
-    /**
-     * Information about the timestamps and URLs for data that needs to be updated.
-     */
-    private DatabaseProperties properties;
-    /**
-     * Reference to the Cve Database.
-     */
-    private CveDB cveDB = null;
-
-    protected CveDB getCveDB() {
-        return cveDB;
-    }
-
-    protected DatabaseProperties getProperties() {
-        return properties;
-    }
-
-    /**
-     * Closes the CVE and CPE data stores.
-     */
-    protected void closeDataStores() {
-        if (cveDB != null) {
-            try {
-                cveDB.close();
-                cveDB = null;
-                properties = null;
-            } catch (Throwable ignore) {
-                LOGGER.trace("Error closing the database", ignore);
-            }
-        }
-    }
-
-    /**
-     * Opens the data store.
-     *
-     * @throws UpdateException thrown if a data store cannot be opened
-     */
-    protected final void openDataStores() throws UpdateException {
-        if (cveDB != null) {
-            return;
-        }
-        try {
-            cveDB = new CveDB();
-            cveDB.open();
-            properties = cveDB.getDatabaseProperties();
-        } catch (DatabaseException ex) {
-            closeDataStores();
-            LOGGER.debug("Database Exception opening databases", ex);
-            throw new UpdateException("Error updating the database, please see the log file for more details.");
-        }
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java

@@ -16,20 +16,14 @@
  * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update;
-
+/*
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
-import java.util.zip.GZIPInputStream;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
-import org.apache.commons.io.FileUtils;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.LAST_CPE_UPDATE;
 import org.owasp.dependencycheck.data.update.cpe.CPEHandler;
 import org.owasp.dependencycheck.data.update.cpe.Cpe;
@@ -37,164 +31,132 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ExtractionUtil;
 import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.XmlUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
-
+*/
 /**
  *
- * This class is currently unused and if enabled will likely not work on MySQL as the MERGE statement is used.
+ * This class is currently unused and if enabled will likely not work on MySQL
+ * as the MERGE statement is used.
  *
- * The CpeUpdater is designed to download the CPE data file from NIST and import the data into the database. However, as this
- * currently adds no beneficial data, compared to what is in the CPE data contained in the CVE data files, this class is not
- * currently used. The code is being kept as a future update may utilize more data from the CPE xml files.
+ * The CpeUpdater is designed to download the CPE data file from NIST and import
+ * the data into the database. However, as this currently adds no beneficial
+ * data, compared to what is in the CPE data contained in the CVE data files,
+ * this class is not currently used. The code is being kept as a future update
+ * may utilize more data from the CPE XML files.
  *
+ * @deprecated the CPE updater is not currently used.
  * @author Jeremy Long
  */
-public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
-
-    /**
-     * Static logger.
-     */
-    private static final Logger LOGGER = LoggerFactory.getLogger(CpeUpdater.class);
-
-    @Override
-    public void update() throws UpdateException {
-        try {
-            openDataStores();
-            if (updateNeeded()) {
-                LOGGER.info("Updating the Common Platform Enumeration (CPE)");
-                final File xml = downloadCpe();
-                final List<Cpe> cpes = processXML(xml);
-                getCveDB().deleteUnusedCpe();
-                for (Cpe cpe : cpes) {
-                    getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
-                }
-                final long now = System.currentTimeMillis();
-                getProperties().save(LAST_CPE_UPDATE, Long.toString(now));
-                LOGGER.info("CPE update complete");
-            }
-        } finally {
-            closeDataStores();
-        }
-    }
-
-    /**
-     * Downloads the CPE XML file.
-     *
-     * @return the file reference to the CPE.xml file
-     * @throws UpdateException thrown if there is an issue downloading the XML file
-     */
-    private File downloadCpe() throws UpdateException {
-        File xml;
-        final URL url;
-        try {
-            url = new URL(Settings.getString(Settings.KEYS.CPE_URL));
-            xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory());
-            Downloader.fetchFile(url, xml);
-            if (url.toExternalForm().endsWith(".xml.gz")) {
-                extractGzip(xml);
-            }
-
-        } catch (MalformedURLException ex) {
-            throw new UpdateException("Invalid CPE URL", ex);
-        } catch (DownloadFailedException ex) {
-            throw new UpdateException("Unable to download CPE XML file", ex);
-        } catch (IOException ex) {
-            throw new UpdateException("Unable to create temporary file to download CPE", ex);
-        }
-        return xml;
-    }
-
-    /**
-     * Parses the CPE XML file to return a list of CPE entries.
-     *
-     * @param xml the CPE data file
-     * @return the list of CPE entries
-     * @throws UpdateException thrown if there is an issue with parsing the XML file
-     */
-    private List<Cpe> processXML(final File xml) throws UpdateException {
-        try {
-            final SAXParserFactory factory = SAXParserFactory.newInstance();
-            final SAXParser saxParser = factory.newSAXParser();
-            final CPEHandler handler = new CPEHandler();
-            saxParser.parse(xml, handler);
-            return handler.getData();
-        } catch (ParserConfigurationException ex) {
-            throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Issue", ex);
-        } catch (SAXException ex) {
-            throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Exception", ex);
-        } catch (IOException ex) {
-            throw new UpdateException("Unable to parse CPE XML file due to IO Failure", ex);
-        }
-    }
-
-    /**
-     * Checks to find the last time the CPE data was refreshed and if it needs to be updated.
-     *
-     * @return true if the CPE data should be refreshed
-     */
-    private boolean updateNeeded() {
-        final long now = System.currentTimeMillis();
-        final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30);
-        long timestamp = 0;
-        final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
-        if (ts != null && ts.matches("^[0-9]+$")) {
-            timestamp = Long.parseLong(ts);
-        }
-        return !DateUtil.withinDateRange(timestamp, now, days);
-    }
-
-    /**
-     * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
-     *
-     * @param file the archive file
-     * @throws FileNotFoundException thrown if the file does not exist
-     * @throws IOException thrown if there is an error extracting the file.
-     */
-    private void extractGzip(File file) throws FileNotFoundException, IOException {
-        //TODO - move this to a util class as it is duplicative of (copy of) code in the DownloadTask
-        final String originalPath = file.getPath();
-        final File gzip = new File(originalPath + ".gz");
-        if (gzip.isFile() && !gzip.delete()) {
-            gzip.deleteOnExit();
-        }
-        if (!file.renameTo(gzip)) {
-            throw new IOException("Unable to rename '" + file.getPath() + "'");
-        }
-        final File newfile = new File(originalPath);
-
-        final byte[] buffer = new byte[4096];
-
-        GZIPInputStream cin = null;
-        FileOutputStream out = null;
-        try {
-            cin = new GZIPInputStream(new FileInputStream(gzip));
-            out = new FileOutputStream(newfile);
-
-            int len;
-            while ((len = cin.read(buffer)) > 0) {
-                out.write(buffer, 0, len);
-            }
-        } finally {
-            if (cin != null) {
-                try {
-                    cin.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("ignore", ex);
-                }
-            }
-            if (out != null) {
-                try {
-                    out.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("ignore", ex);
-                }
-            }
-            if (gzip.isFile()) {
-                FileUtils.deleteQuietly(gzip);
-            }
-        }
-    }
+@Deprecated
+public class CpeUpdater { //extends BaseUpdater implements CachedWebDataSource {
+//
+//    /**
+//     * Static logger.
+//     */
+//    private static final Logger LOGGER = LoggerFactory.getLogger(CpeUpdater.class);
+//
+//    @Override
+//    public void update() throws UpdateException {
+//        /*
+//        //the following could be used if this were ever used.
+//        try {
+//            if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
+//                return;
+//            }
+//        } catch (InvalidSettingException ex) {
+//            LOGGER.trace("invalid setting UPDATE_NVDCVE_ENABLED", ex);
+//        }
+//         */
+//
+//        try {
+//            openDataStores();
+//            if (updateNeeded()) {
+//                LOGGER.info("Updating the Common Platform Enumeration (CPE)");
+//                final File xml = downloadCpe();
+//                final List<Cpe> cpes = processXML(xml);
+//                getCveDB().deleteUnusedCpe();
+//                for (Cpe cpe : cpes) {
+//                    getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct());
+//                }
+//                final long now = System.currentTimeMillis();
+//                getProperties().save(LAST_CPE_UPDATE, Long.toString(now));
+//                LOGGER.info("CPE update complete");
+//            }
+//        } finally {
+//            closeDataStores();
+//        }
+//    }
+//
+//    /**
+//     * Downloads the CPE XML file.
+//     *
+//     * @return the file reference to the CPE.xml file
+//     * @throws UpdateException thrown if there is an issue downloading the XML
+//     * file
+//     */
+//    private File downloadCpe() throws UpdateException {
+//        File xml;
+//        final URL url;
+//        try {
+//            url = new URL(Settings.getString(Settings.KEYS.CPE_URL));
+//            xml = File.createTempFile("cpe", ".xml", Settings.getTempDirectory());
+//            Downloader.fetchFile(url, xml);
+//            if (url.toExternalForm().endsWith(".xml.gz")) {
+//                ExtractionUtil.extractGzip(xml);
+//            }
+//
+//        } catch (MalformedURLException ex) {
+//            throw new UpdateException("Invalid CPE URL", ex);
+//        } catch (DownloadFailedException ex) {
+//            throw new UpdateException("Unable to download CPE XML file", ex);
+//        } catch (IOException ex) {
+//            throw new UpdateException("Unable to create temporary file to download CPE", ex);
+//        }
+//        return xml;
+//    }
+//
+//    /**
+//     * Parses the CPE XML file to return a list of CPE entries.
+//     *
+//     * @param xml the CPE data file
+//     * @return the list of CPE entries
+//     * @throws UpdateException thrown if there is an issue with parsing the XML
+//     * file
+//     */
+//    private List<Cpe> processXML(final File xml) throws UpdateException {
+//        try {
+//            final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
+//            final CPEHandler handler = new CPEHandler();
+//            saxParser.parse(xml, handler);
+//            return handler.getData();
+//        } catch (ParserConfigurationException ex) {
+//            throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Issue", ex);
+//        } catch (SAXException ex) {
+//            throw new UpdateException("Unable to parse CPE XML file due to SAX Parser Exception", ex);
+//        } catch (IOException ex) {
+//            throw new UpdateException("Unable to parse CPE XML file due to IO Failure", ex);
+//        }
+//    }
+//
+//    /**
+//     * Checks to find the last time the CPE data was refreshed and if it needs
+//     * to be updated.
+//     *
+//     * @return true if the CPE data should be refreshed
+//     */
+//    private boolean updateNeeded() {
+//        final long now = System.currentTimeMillis();
+//        final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30);
+//        long timestamp = 0;
+//        final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
+//        if (ts != null && ts.matches("^[0-9]+$")) {
+//            timestamp = Long.parseLong(ts);
+//        }
+//        return !DateUtil.withinDateRange(timestamp, now, days);
+//    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java

@@ -36,6 +36,10 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
+ * Checks the gh-pages dependency-check site to determine the current released
+ * version number. If the released version number is greater than the running
+ * version number a warning is printed recommending that an upgrade be
+ * performed.
  *
  * @author Jeremy Long
  */
@@ -54,17 +58,14 @@ public class EngineVersionCheck implements CachedWebDataSource {
      */
     public static final String CURRENT_ENGINE_RELEASE = "CurrentEngineRelease";
     /**
-     * Reference to the Cve Database.
-     */
-    private CveDB cveDB = null;
-
-    /**
-     * The version retrieved from the database properties or web to check against.
+     * The version retrieved from the database properties or web to check
+     * against.
      */
     private String updateToVersion;
 
     /**
-     * Getter for updateToVersion - only used for testing. Represents the version retrieved from the database.
+     * Getter for updateToVersion - only used for testing. Represents the
+     * version retrieved from the database.
      *
      * @return the version to test
      */
@@ -73,7 +74,8 @@ public class EngineVersionCheck implements CachedWebDataSource {
     }
 
     /**
-     * Setter for updateToVersion - only used for testing. Represents the version retrieved from the database.
+     * Setter for updateToVersion - only used for testing. Represents the
+     * version retrieved from the database.
      *
      * @param version the version to test
      */
@@ -81,14 +83,31 @@ public class EngineVersionCheck implements CachedWebDataSource {
         updateToVersion = version;
     }
 
+    /**
+     * Downloads the current released version number and compares it to the
+     * running engine's version number. If the released version number is newer
+     * a warning is printed recommending an upgrade.
+     *
+     * @throws UpdateException thrown if the local database properties could not
+     * be updated
+     */
     @Override
     public void update() throws UpdateException {
-
-        try {
-            if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
-                openDatabase();
+        try (CveDB db = CveDB.getInstance()) {
+            final boolean autoupdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE, true);
+            final boolean enabled = Settings.getBoolean(Settings.KEYS.UPDATE_VERSION_CHECK_ENABLED, true);
+            final String original = Settings.getString(Settings.KEYS.CVE_ORIGINAL_MODIFIED_20_URL);
+            final String current = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
+            /*
+             * Only update if auto-update is enabled, the engine check is
+             * enabled, and the NVD CVE URLs have not been modified (i.e. the
+             * user has not configured them to point to an internal source).
+             */
+            if (enabled && autoupdate && original != null && original.equals(current)) {
                 LOGGER.debug("Begin Engine Version Check");
-                final DatabaseProperties properties = cveDB.getDatabaseProperties();
+
+                final DatabaseProperties properties = db.getDatabaseProperties();
+
                 final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
                 final long now = System.currentTimeMillis();
                 updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
@@ -104,25 +123,24 @@ public class EngineVersionCheck implements CachedWebDataSource {
             }
         } catch (DatabaseException ex) {
             LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
-            throw new UpdateException("Error occured updating database properties.");
+            throw new UpdateException("Error occurred updating database properties.");
         } catch (InvalidSettingException ex) {
             LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
-        } finally {
-            closeDatabase();
-
         }
     }
 
     /**
-     * Determines if a new version of the dependency-check engine has been released.
+     * Determines if a new version of the dependency-check engine has been
+     * released.
      *
      * @param lastChecked the epoch time of the last version check
      * @param now the current epoch time
      * @param properties the database properties object
      * @param currentVersion the current version of dependency-check
-     * @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code>
-     * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the local
-     * database.
+     * @return <code>true</code> if a newer version of the database has been
+     * released; otherwise <code>false</code>
+     * @throws UpdateException thrown if there is an error connecting to the
+     * github documentation site or accessing the local database.
      */
     protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
             String currentVersion) throws UpdateException {
@@ -158,34 +176,8 @@ public class EngineVersionCheck implements CachedWebDataSource {
     }
 
     /**
-     * Opens the CVE and CPE data stores.
-     *
-     * @throws DatabaseException thrown if a data store cannot be opened
-     */
-    protected final void openDatabase() throws DatabaseException {
-        if (cveDB != null) {
-            return;
-        }
-        cveDB = new CveDB();
-        cveDB.open();
-    }
-
-    /**
-     * Closes the CVE and CPE data stores.
-     */
-    protected void closeDatabase() {
-        if (cveDB != null) {
-            try {
-                cveDB.close();
-                cveDB = null;
-            } catch (Throwable ignore) {
-                LOGGER.trace("Error closing the cveDB", ignore);
-            }
-        }
-    }
-
-    /**
-     * Retrieves the current released version number from the github documentation site.
+     * Retrieves the current released version number from the github
+     * documentation site.
      *
      * @return the current released version number
      */
@@ -204,11 +196,11 @@ public class EngineVersionCheck implements CachedWebDataSource {
                 return releaseVersion.trim();
             }
         } catch (MalformedURLException ex) {
-            LOGGER.debug("unable to retrieve current release version of dependency-check", ex);
+            LOGGER.debug("Unable to retrieve current release version of dependency-check - malformed url?");
         } catch (URLConnectionFailureException ex) {
-            LOGGER.debug("unable to retrieve current release version of dependency-check", ex);
+            LOGGER.debug("Unable to retrieve current release version of dependency-check - connection failed");
         } catch (IOException ex) {
-            LOGGER.debug("unable to retrieve current release version of dependency-check", ex);
+            LOGGER.debug("Unable to retrieve current release version of dependency-check - i/o exception");
         } finally {
             if (conn != null) {
                 conn.disconnect();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -17,14 +17,26 @@
  */
 package org.owasp.dependencycheck.data.update;
 
+import java.io.File;
+import java.io.IOException;
+import java.io.RandomAccessFile;
 import java.net.MalformedURLException;
 import java.util.Calendar;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
+import java.net.URL;
+import java.nio.channels.FileLock;
+import java.util.Date;
+import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -36,6 +48,7 @@ import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
 import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
 import org.owasp.dependencycheck.utils.DateUtil;
+import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
@@ -47,46 +60,99 @@ import org.slf4j.LoggerFactory;
  *
  * @author Jeremy Long
  */
-public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
+public class NvdCveUpdater implements CachedWebDataSource {
 
     /**
-     * The logger
+     * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(NvdCveUpdater.class);
     /**
-     * The max thread pool size to use when downloading files.
+     * The thread pool size to use for CPU-intense tasks.
      */
-    public static final int MAX_THREAD_POOL_SIZE = Settings.getInt(Settings.KEYS.MAX_DOWNLOAD_THREAD_POOL_SIZE, 3);
+    private static final int PROCESSING_THREAD_POOL_SIZE = Runtime.getRuntime().availableProcessors();
+    /**
+     * The thread pool size to use when downloading files.
+     */
+    private static final int DOWNLOAD_THREAD_POOL_SIZE = Math.round(1.5f * Runtime.getRuntime().availableProcessors());
+    /**
+     * ExecutorService for CPU-intense processing tasks.
+     */
+    private ExecutorService processingExecutorService = null;
+    /**
+     * ExecutorService for tasks that involve blocking activities and are not
+     * very CPU-intense, e.g. downloading files.
+     */
+    private ExecutorService downloadExecutorService = null;
+
+    /**
+     * Reference to the DAO.
+     */
+    private CveDB cveDb = null;
+    /**
+     * The properties obtained from the database.
+     */
+    private DatabaseProperties dbProperties = null;
 
     /**
-     * <p>
      * Downloads the latest NVD CVE XML file from the web and imports it into
-     * the current CVE Database.</p>
+     * the current CVE Database. A lock on a file is obtained in an attempt to
+     * prevent more then one thread/JVM from updating the database at the same
+     * time. This method may sleep upto 5 minutes.
      *
      * @throws UpdateException is thrown if there is an error updating the
      * database
      */
     @Override
-    public void update() throws UpdateException {
-        try {
-            openDataStores();
-            boolean autoUpdate = true;
-            try {
-                autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
-            } catch (InvalidSettingException ex) {
-                LOGGER.debug("Invalid setting for auto-update; using true.");
+    public synchronized void update() throws UpdateException {
+        if (isUpdateConfiguredFalse()) {
+            return;
         }
-            if (autoUpdate && checkUpdate()) {
+        FileLock lock = null;
+        RandomAccessFile ulFile = null;
+        File lockFile = null;
+        try {
+            if (ConnectionFactory.isH2Connection()) {
+                final File dir = Settings.getDataDirectory();
+                lockFile = new File(dir, "odc.update.lock");
+                if (lockFile.isFile() && getFileAge(lockFile) > 5 && !lockFile.delete()) {
+                    LOGGER.warn("An old db update lock file was found but the system was unable to delete the file. Consider manually deleting " + lockFile.getAbsolutePath());
+                }
+                int ctr = 0;
+                do {
+                    try {
+                        if (!lockFile.exists() && lockFile.createNewFile()) {
+                            ulFile = new RandomAccessFile(lockFile, "rw");
+                            lock = ulFile.getChannel().lock();
+                        }
+                    } catch (IOException ex) {
+                        LOGGER.trace("Expected error as another thread has likely locked the file", ex);
+                    }
+                    if (lock == null || !lock.isValid()) {
+                        try {
+                            LOGGER.debug(String.format("Sleeping thread %s for 5 seconds because we could not obtain the update lock.", Thread.currentThread().getName()));
+                            Thread.sleep(5000);
+                        } catch (InterruptedException ex) {
+                            LOGGER.trace("ignorable error, sleep was interrupted.", ex);
+                        }
+                    }
+                } while (++ctr < 60 && (lock == null || !lock.isValid()));
+                if (lock == null || !lock.isValid()) {
+                    throw new UpdateException("Unable to obtain the update lock, skipping the database update. Skippinig the database update.");
+                }
+            }
+            initializeExecutorServices();
+            cveDb = CveDB.getInstance();
+            dbProperties = cveDb.getDatabaseProperties();
+
+            if (checkUpdate()) {
                 final UpdateableNvdCve updateable = getUpdatesNeeded();
-                getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis()));
                 if (updateable.isUpdateNeeded()) {
                     performUpdate(updateable);
                 }
+                dbProperties.save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis()));
             }
         } catch (MalformedURLException ex) {
-            LOGGER.warn(
-                    "NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.");
-            LOGGER.debug("", ex);
+            throw new UpdateException("NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.", ex);
         } catch (DownloadFailedException ex) {
             LOGGER.warn(
                     "Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.");
@@ -94,9 +160,89 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
                 LOGGER.info(
                         "If you are behind a proxy you may need to configure dependency-check to use the proxy.");
             }
-            LOGGER.debug("", ex);
+            throw new UpdateException("Unable to download the NVD CVE data.", ex);
+        } catch (DatabaseException ex) {
+            throw new UpdateException("Database Exception, unable to update the data to use the most current data.", ex);
+        } catch (IOException ex) {
+            throw new UpdateException("Database Exception", ex);
         } finally {
-            closeDataStores();
+            shutdownExecutorServices();
+            cveDb.close();
+            if (lock != null) {
+                try {
+                    lock.release();
+                } catch (IOException ex) {
+                    LOGGER.trace("Ignorable exception", ex);
+                }
+            }
+            if (ulFile != null) {
+                try {
+                    ulFile.close();
+                } catch (IOException ex) {
+                    LOGGER.trace("Ignorable exception", ex);
+                }
+            }
+            if (lockFile != null) {
+                lockFile.delete();
+            }
+        }
+    }
+
+    /**
+     * Checks if the system is configured NOT to update.
+     *
+     * @return false if the system is configured to perform an update; otherwise
+     * true
+     */
+    private boolean isUpdateConfiguredFalse() {
+        try {
+            if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
+                return true;
+            }
+        } catch (InvalidSettingException ex) {
+            LOGGER.trace("invalid setting UPDATE_NVDCVE_ENABLED", ex);
+        }
+        boolean autoUpdate = true;
+        try {
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            LOGGER.debug("Invalid setting for auto-update; using true.");
+        }
+        return !autoUpdate;
+    }
+
+    /**
+     * Returns the age of the file in minutes.
+     *
+     * @param file the file to calculate the age
+     * @return the age of the file
+     */
+    private long getFileAge(File file) {
+        final Date d = new Date();
+        final long modified = file.lastModified();
+        return (d.getTime() - modified) / 1000 / 60;
+    }
+
+    /**
+     * Initialize the executor services for download and processing of the NVD
+     * CVE XML data.
+     */
+    protected void initializeExecutorServices() {
+        processingExecutorService = Executors.newFixedThreadPool(PROCESSING_THREAD_POOL_SIZE);
+        downloadExecutorService = Executors.newFixedThreadPool(DOWNLOAD_THREAD_POOL_SIZE);
+        LOGGER.debug("#download   threads: {}", DOWNLOAD_THREAD_POOL_SIZE);
+        LOGGER.debug("#processing threads: {}", PROCESSING_THREAD_POOL_SIZE);
+    }
+
+    /**
+     * Shutdown and cleanup of resources used by the executor services.
+     */
+    private void shutdownExecutorServices() {
+        if (processingExecutorService != null) {
+            processingExecutorService.shutdownNow();
+        }
+        if (downloadExecutorService != null) {
+            downloadExecutorService.shutdownNow();
         }
     }
 
@@ -107,9 +253,9 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
      * checking again. A database property stores the timestamp of the last
      * check.
      *
-     * @return true to proceed with the check, or false to skip.
+     * @return true to proceed with the check, or false to skip
      * @throws UpdateException thrown when there is an issue checking for
-     * updates.
+     * updates
      */
     private boolean checkUpdate() throws UpdateException {
         boolean proceed = true;
@@ -118,7 +264,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         if (dataExists() && 0 < validForHours) {
             // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
             final long msValid = validForHours * 60L * 60L * 1000L;
-            final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
+            final long lastChecked = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_CHECKED, "0"));
             final long now = System.currentTimeMillis();
             proceed = (now - lastChecked) > msValid;
             if (!proceed) {
@@ -136,17 +282,10 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
      * @return true if the database contains data
      */
     private boolean dataExists() {
-        CveDB cve = null;
-        try {
-            cve = new CveDB();
-            cve.open();
+        try (CveDB cve = CveDB.getInstance()) {
             return cve.dataExists();
         } catch (DatabaseException ex) {
             return false;
-        } finally {
-            if (cve != null) {
-                cve.close();
-            }
         }
     }
 
@@ -159,9 +298,8 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
      * @throws UpdateException is thrown if there is an error updating the
      * database
      */
-    public void performUpdate(UpdateableNvdCve updateable) throws UpdateException {
+    private void performUpdate(UpdateableNvdCve updateable) throws UpdateException {
         int maxUpdates = 0;
-        try {
         for (NvdCveInfo cve : updateable) {
             if (cve.getNeedsUpdate()) {
                 maxUpdates += 1;
@@ -171,48 +309,31 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
             return;
         }
         if (maxUpdates > 3) {
-                LOGGER.info(
-                        "NVD CVE requires several updates; this could take a couple of minutes.");
-            }
-            if (maxUpdates > 0) {
-                openDataStores();
+            LOGGER.info("NVD CVE requires several updates; this could take a couple of minutes.");
         }
 
-            final int poolSize = (MAX_THREAD_POOL_SIZE < maxUpdates) ? MAX_THREAD_POOL_SIZE : maxUpdates;
-
-            final ExecutorService downloadExecutors = Executors.newFixedThreadPool(poolSize);
-            final ExecutorService processExecutor = Executors.newSingleThreadExecutor();
-            final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
+        final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<>(maxUpdates);
         for (NvdCveInfo cve : updateable) {
             if (cve.getNeedsUpdate()) {
-                    final DownloadTask call = new DownloadTask(cve, processExecutor, getCveDB(), Settings.getInstance());
-                    downloadFutures.add(downloadExecutors.submit(call));
+                final DownloadTask call = new DownloadTask(cve, processingExecutorService, cveDb, Settings.getInstance());
+                downloadFutures.add(downloadExecutorService.submit(call));
             }
         }
-            downloadExecutors.shutdown();
 
         //next, move the future future processTasks to just future processTasks
-            final Set<Future<ProcessTask>> processFutures = new HashSet<Future<ProcessTask>>(maxUpdates);
+        final Set<Future<ProcessTask>> processFutures = new HashSet<>(maxUpdates);
         for (Future<Future<ProcessTask>> future : downloadFutures) {
-                Future<ProcessTask> task = null;
+            Future<ProcessTask> task;
             try {
                 task = future.get();
             } catch (InterruptedException ex) {
-                    downloadExecutors.shutdownNow();
-                    processExecutor.shutdownNow();
-
                 LOGGER.debug("Thread was interrupted during download", ex);
                 throw new UpdateException("The download was interrupted", ex);
             } catch (ExecutionException ex) {
-                    downloadExecutors.shutdownNow();
-                    processExecutor.shutdownNow();
-
                 LOGGER.debug("Thread was interrupted during download execution", ex);
                 throw new UpdateException("The execution of the download was interrupted", ex);
             }
             if (task == null) {
-                    downloadExecutors.shutdownNow();
-                    processExecutor.shutdownNow();
                 LOGGER.debug("Thread was interrupted during download");
                 throw new UpdateException("The download was interrupted; unable to complete the update");
             } else {
@@ -227,27 +348,20 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
                     throw task.getException();
                 }
             } catch (InterruptedException ex) {
-                    processExecutor.shutdownNow();
                 LOGGER.debug("Thread was interrupted during processing", ex);
                 throw new UpdateException(ex);
             } catch (ExecutionException ex) {
-                    processExecutor.shutdownNow();
                 LOGGER.debug("Execution Exception during process", ex);
                 throw new UpdateException(ex);
-                } finally {
-                    processExecutor.shutdown();
             }
         }
 
         if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it)
-                getProperties().save(updateable.get(MODIFIED));
+            dbProperties.save(updateable.get(MODIFIED));
             LOGGER.info("Begin database maintenance.");
-                getCveDB().cleanupDatabase();
+            cveDb.cleanupDatabase();
             LOGGER.info("End database maintenance.");
         }
-        } finally {
-            closeDataStores();
-        }
     }
 
     /**
@@ -265,7 +379,8 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
      * updated properties file
      */
     protected final UpdateableNvdCve getUpdatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
-        UpdateableNvdCve updates = null;
+        LOGGER.info("starting getUpdatesNeeded() ...");
+        UpdateableNvdCve updates;
         try {
             updates = retrieveCurrentTimestampsFromWeb();
         } catch (InvalidDataException ex) {
@@ -280,14 +395,24 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         if (updates == null) {
             throw new DownloadFailedException("Unable to retrieve the timestamps of the currently published NVD CVE data");
         }
-        if (!getProperties().isEmpty()) {
+        if (dbProperties != null && !dbProperties.isEmpty()) {
             try {
-                final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0"));
+                final int startYear = Settings.getInt(Settings.KEYS.CVE_START_YEAR, 2002);
+                final int endYear = Calendar.getInstance().get(Calendar.YEAR);
+                boolean needsFullUpdate = false;
+                for (int y = startYear; y <= endYear; y++) {
+                    final long val = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED_BASE + y, "0"));
+                    if (val == 0) {
+                        needsFullUpdate = true;
+                    }
+                }
+
+                final long lastUpdated = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED, "0"));
                 final long now = System.currentTimeMillis();
                 final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
-                if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
+                if (!needsFullUpdate && lastUpdated == updates.getTimeStamp(MODIFIED)) {
                     updates.clear(); //we don't need to update anything.
-                } else if (DateUtil.withinDateRange(lastUpdated, now, days)) {
+                } else if (!needsFullUpdate && DateUtil.withinDateRange(lastUpdated, now, days)) {
                     for (NvdCveInfo entry : updates) {
                         if (MODIFIED.equals(entry.getId())) {
                             entry.setNeedsUpdate(true);
@@ -302,7 +427,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
                         } else {
                             long currentTimestamp = 0;
                             try {
-                                currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE
+                                currentTimestamp = Long.parseLong(dbProperties.getProperty(DatabaseProperties.LAST_UPDATED_BASE
                                         + entry.getId(), "0"));
                             } catch (NumberFormatException ex) {
                                 LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated",
@@ -337,20 +462,101 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
             throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
 
-        final UpdateableNvdCve updates = new UpdateableNvdCve();
-        updates.add(MODIFIED, Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL),
-                Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL),
-                false);
-
         final int start = Settings.getInt(Settings.KEYS.CVE_START_YEAR);
         final int end = Calendar.getInstance().get(Calendar.YEAR);
+
+        final Map<String, Long> lastModifiedDates = retrieveLastModifiedDates(start, end);
+
+        final UpdateableNvdCve updates = new UpdateableNvdCve();
+
         final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
         final String baseUrl12 = Settings.getString(Settings.KEYS.CVE_SCHEMA_1_2);
         for (int i = start; i <= end; i++) {
-            updates.add(Integer.toString(i), String.format(baseUrl20, i),
-                    String.format(baseUrl12, i),
-                    true);
+            final String url = String.format(baseUrl20, i);
+            updates.add(Integer.toString(i), url, String.format(baseUrl12, i),
+                    lastModifiedDates.get(url), true);
         }
+
+        final String url = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
+        updates.add(MODIFIED, url, Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL),
+                lastModifiedDates.get(url), false);
+
         return updates;
     }
+
+    /**
+     * Retrieves the timestamps from the NVD CVE meta data file.
+     *
+     * @param startYear the first year whose item to check for the timestamp
+     * @param endYear the last year whose item to check for the timestamp
+     * @return the timestamps from the currently published NVD CVE downloads
+     * page
+     * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data
+     * is incorrect.
+     * @throws DownloadFailedException thrown if there is an error downloading
+     * the NVD CVE meta data file
+     */
+    private Map<String, Long> retrieveLastModifiedDates(int startYear, int endYear)
+            throws MalformedURLException, DownloadFailedException {
+
+        final Set<String> urls = new HashSet<>();
+        final String baseUrl20 = Settings.getString(Settings.KEYS.CVE_SCHEMA_2_0);
+        for (int i = startYear; i <= endYear; i++) {
+            final String url = String.format(baseUrl20, i);
+            urls.add(url);
+        }
+        urls.add(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
+
+        final Map<String, Future<Long>> timestampFutures = new HashMap<>();
+        for (String url : urls) {
+            final TimestampRetriever timestampRetriever = new TimestampRetriever(url);
+            final Future<Long> future = downloadExecutorService.submit(timestampRetriever);
+            timestampFutures.put(url, future);
+        }
+
+        final Map<String, Long> lastModifiedDates = new HashMap<>();
+        for (String url : urls) {
+            final Future<Long> timestampFuture = timestampFutures.get(url);
+            final long timestamp;
+            try {
+                timestamp = timestampFuture.get(60, TimeUnit.SECONDS);
+            } catch (InterruptedException | ExecutionException | TimeoutException e) {
+                throw new DownloadFailedException(e);
+            }
+            lastModifiedDates.put(url, timestamp);
+        }
+
+        return lastModifiedDates;
+    }
+
+    /**
+     * Retrieves the last modified timestamp from a NVD CVE meta data file.
+     */
+    private static class TimestampRetriever implements Callable<Long> {
+
+        /**
+         * The URL to obtain the timestamp from.
+         */
+        private final String url;
+
+        /**
+         * Instantiates a new timestamp retriever object.
+         *
+         * @param url the URL to hit
+         */
+        TimestampRetriever(String url) {
+            this.url = url;
+        }
+
+        @Override
+        public Long call() throws Exception {
+            LOGGER.debug("Checking for updates from: {}", url);
+            try {
+                Settings.initialize();
+                return Downloader.getLastModified(new URL(url));
+            } finally {
+                Settings.cleanup(false);
+            }
+        }
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java

@@ -22,6 +22,7 @@ import java.util.ArrayList;
 import java.util.List;
 import org.owasp.dependencycheck.data.update.NvdCveUpdater;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.Attributes;
@@ -29,7 +30,7 @@ import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
 
 /**
- * A SAX Handler that will parse the CPE XML and load it into the databse.
+ * A SAX Handler that will parse the CPE XML and load it into the database.
  *
  * @author Jeremy Long
  */
@@ -40,7 +41,12 @@ public class CPEHandler extends DefaultHandler {
      */
     private static final String CURRENT_SCHEMA_VERSION = "2.3";
     /**
-     * The text content of the node being processed. This can be used during the end element event.
+     * The Starts with expression to filter CVE entries by CPE.
+     */
+    private static final String CPE_STARTS_WITH = Settings.getString(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER, "cpe:/a:");
+    /**
+     * The text content of the node being processed. This can be used during the
+     * end element event.
      */
     private StringBuilder nodeText = null;
     /**
@@ -54,7 +60,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * The list of CPE values.
      */
-    private final List<Cpe> data = new ArrayList<Cpe>();
+    private final List<Cpe> data = new ArrayList<>();
 
     /**
      * Returns the list of CPE values.
@@ -72,7 +78,8 @@ public class CPEHandler extends DefaultHandler {
      * @param localName the local name
      * @param qName the qualified name
      * @param attributes the attributes
-     * @throws SAXException thrown if there is an exception processing the element
+     * @throws SAXException thrown if there is an exception processing the
+     * element
      */
     @Override
     public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
@@ -82,7 +89,7 @@ public class CPEHandler extends DefaultHandler {
             final String temp = attributes.getValue("deprecated");
             final String value = attributes.getValue("name");
             final boolean delete = "true".equalsIgnoreCase(temp);
-            if (!delete && value.startsWith("cpe:/a:") && value.length() > 7) {
+            if (!delete && value.startsWith(CPE_STARTS_WITH) && value.length() > 7) {
                 try {
                     final Cpe cpe = new Cpe(value);
                     data.add(cpe);
@@ -123,7 +130,8 @@ public class CPEHandler extends DefaultHandler {
      * @param ch the char array
      * @param start the start position of the data read
      * @param length the length of the data read
-     * @throws SAXException thrown if there is an exception processing the characters
+     * @throws SAXException thrown if there is an exception processing the
+     * characters
      */
     @Override
     public void characters(char[] ch, int start, int length) throws SAXException {
@@ -133,51 +141,29 @@ public class CPEHandler extends DefaultHandler {
     }
 
     /**
-     * Handles the end element event. Stores the CPE data in the Cve Database if the cpe item node is ending.
+     * Handles the end element event. Stores the CPE data in the Cve Database if
+     * the cpe item node is ending.
      *
      * @param uri the element's uri
      * @param localName the local name
      * @param qName the qualified name
-     * @throws SAXException thrown if there is an exception processing the element
+     * @throws SAXException thrown if there is an exception processing the
+     * element
      */
     @Override
     public void endElement(String uri, String localName, String qName) throws SAXException {
         current.setNode(qName);
         if (current.isSchemaVersionNode() && !CURRENT_SCHEMA_VERSION.equals(nodeText.toString())) {
-            throw new SAXException("ERROR: Unexpecgted CPE Schema Version, expected: "
+            throw new SAXException("ERROR: Unexpected CPE Schema Version, expected: "
                     + CURRENT_SCHEMA_VERSION + ", file is: " + nodeText);
 
         }
-//        } else if (current.isCpeItemNode()) {
-//            //do nothing
-//        } else if (current.isTitleNode()) {
-//            //do nothing
-//        } else if (current.isCpeListNode()) {
-//            //do nothing
-//        } else if (current.isMetaNode()) {
-//            //do nothing
-//        } else if (current.isNotesNode()) {
-//            //do nothing
-//        } else if (current.isNoteNode()) {
-//            //do nothing
-//        } else if (current.isCheckNode()) {
-//            //do nothing
-//        } else if (current.isGeneratorNode()) {
-//            //do nothing
-//        } else if (current.isProductNameNode()) {
-//            //do nothing
-//        } else if (current.isProductVersionNode()) {
-//            //do nothing
-//        else if (current.isTimestampNode()) {
-//            //do nothing
-//        } else {
-//            throw new SAXException("ERROR STATE: Unexpected qName '" + qName + "'");
-//        }
     }
 
     // <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">
     /**
-     * A simple class to maintain information about the current element while parsing the CPE XML.
+     * A simple class to maintain information about the current element while
+     * parsing the CPE XML.
      */
     protected static final class Element {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/Cpe.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.data.update.cpe;
 
+import org.apache.commons.lang3.StringUtils;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
@@ -36,7 +37,8 @@ public class Cpe {
      */
     public Cpe(String value) throws UnsupportedEncodingException, InvalidDataException {
         this.value = value;
-        final String[] data = value.substring(7).split(":");
+        final String valueWithoutPrefix = value.substring(7);
+        final String[] data = StringUtils.split(valueWithoutPrefix, ':');
         if (data.length >= 2) {
             vendor = URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8");
             product = URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8");

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/UpdateException.java

@@ -17,14 +17,12 @@
  */
 package org.owasp.dependencycheck.data.update.exception;
 
-import java.io.IOException;
-
 /**
  * An exception used when an error occurs reading a setting.
  *
  * @author Jeremy Long
  */
-public class UpdateException extends IOException {
+public class UpdateException extends Exception {
 
     /**
      * The serial version uid.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -19,20 +19,17 @@ package org.owasp.dependencycheck.data.update.nvd;
 
 import java.io.File;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
-import java.util.zip.GZIPInputStream;
-import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.ExtractionUtil;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -48,6 +45,30 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
      * The Logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(DownloadTask.class);
+    /**
+     * The CVE DB to use when processing the files.
+     */
+    private final CveDB cveDB;
+    /**
+     * The processor service to pass the results of the download to.
+     */
+    private final ExecutorService processorService;
+    /**
+     * The NVD CVE Meta Data.
+     */
+    private NvdCveInfo nvdCveInfo;
+    /**
+     * A reference to the global settings object.
+     */
+    private final Settings settings;
+    /**
+     * a file.
+     */
+    private File first;
+    /**
+     * a file.
+     */
+    private File second;
 
     /**
      * Simple constructor for the callable download task.
@@ -55,8 +76,9 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
      * @param nvdCveInfo the NVD CVE info
      * @param processor the processor service to submit the downloaded files to
      * @param cveDB the CVE DB to use to store the vulnerability data
-     * @param settings a reference to the global settings object; this is necessary so that when the thread is started the
-     * dependencies have a correct reference to the global settings.
+     * @param settings a reference to the global settings object; this is
+     * necessary so that when the thread is started the dependencies have a
+     * correct reference to the global settings.
      * @throws UpdateException thrown if temporary files could not be created
      */
     public DownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
@@ -78,22 +100,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         this.second = file2;
 
     }
-    /**
-     * The CVE DB to use when processing the files.
-     */
-    private final CveDB cveDB;
-    /**
-     * The processor service to pass the results of the download to.
-     */
-    private final ExecutorService processorService;
-    /**
-     * The NVD CVE Meta Data.
-     */
-    private NvdCveInfo nvdCveInfo;
-    /**
-     * A reference to the global settings object.
-     */
-    private final Settings settings;
 
     /**
      * Get the value of nvdCveInfo.
@@ -112,10 +118,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setNvdCveInfo(NvdCveInfo nvdCveInfo) {
         this.nvdCveInfo = nvdCveInfo;
     }
-    /**
-     * a file.
-     */
-    private File first;
 
     /**
      * Get the value of first.
@@ -134,10 +136,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setFirst(File first) {
         this.first = first;
     }
-    /**
-     * a file.
-     */
-    private File second;
 
     /**
      * Get the value of second.
@@ -178,10 +176,10 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
                 return null;
             }
             if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
-                extractGzip(first);
+                ExtractionUtil.extractGzip(first);
             }
             if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
-                extractGzip(second);
+                ExtractionUtil.extractGzip(second);
             }
 
             LOGGER.info("Download Complete for NVD CVE - {}  ({} ms)", nvdCveInfo.getId(),
@@ -205,27 +203,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
      * Attempts to delete the files that were downloaded.
      */
     public void cleanup() {
-        boolean deleted = false;
-        try {
-            if (first != null && first.exists()) {
-                deleted = first.delete();
-            }
-        } finally {
-            if (first != null && (first.exists() || !deleted)) {
+        if (first != null && first.exists() && first.delete()) {
+            LOGGER.debug("Failed to delete first temporary file {}", second.toString());
             first.deleteOnExit();
         }
-        }
-        try {
-            deleted = false;
-            if (second != null && second.exists()) {
-                deleted = second.delete();
-            }
-        } finally {
-            if (second != null && (second.exists() || !deleted)) {
+        if (second != null && second.exists() && !second.delete()) {
+            LOGGER.debug("Failed to delete second temporary file {}", second.toString());
             second.deleteOnExit();
         }
     }
-    }
 
     /**
      * Checks the file header to see if it is an XML file.
@@ -237,84 +223,19 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         if (file == null || !file.isFile()) {
             return false;
         }
-        InputStream is = null;
-        try {
-            is = new FileInputStream(file);
-
+        try (InputStream is = new FileInputStream(file)) {
             final byte[] buf = new byte[5];
-            int read = 0;
-            try {
+            int read;
             read = is.read(buf);
-            } catch (IOException ex) {
-                return false;
-            }
             return read == 5
                     && buf[0] == '<'
                     && (buf[1] == '?')
                     && (buf[2] == 'x' || buf[2] == 'X')
                     && (buf[3] == 'm' || buf[3] == 'M')
                     && (buf[4] == 'l' || buf[4] == 'L');
-        } catch (FileNotFoundException ex) {
+        } catch (IOException ex) {
+            LOGGER.debug("Error checking if file is xml", ex);
             return false;
-        } finally {
-            if (is != null) {
-                try {
-                    is.close();
-                } catch (IOException ex) {
-                    LOGGER.debug("Error closing stream", ex);
-                }
-            }
-        }
-    }
-
-    /**
-     * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
-     *
-     * @param file the archive file
-     * @throws FileNotFoundException thrown if the file does not exist
-     * @throws IOException thrown if there is an error extracting the file.
-     */
-    private void extractGzip(File file) throws FileNotFoundException, IOException {
-        final String originalPath = file.getPath();
-        final File gzip = new File(originalPath + ".gz");
-        if (gzip.isFile() && !gzip.delete()) {
-            gzip.deleteOnExit();
-        }
-        if (!file.renameTo(gzip)) {
-            throw new IOException("Unable to rename '" + file.getPath() + "'");
-        }
-        final File newfile = new File(originalPath);
-
-        final byte[] buffer = new byte[4096];
-
-        GZIPInputStream cin = null;
-        FileOutputStream out = null;
-        try {
-            cin = new GZIPInputStream(new FileInputStream(gzip));
-            out = new FileOutputStream(newfile);
-
-            int len;
-            while ((len = cin.read(buffer)) > 0) {
-                out.write(buffer, 0, len);
-            }
-        } finally {
-            if (cin != null) {
-                try {
-                    cin.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("ignore", ex);
-                }
-            }
-            if (out != null) {
-                try {
-                    out.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("ignore", ex);
-                }
-            }
-            if (gzip.isFile()) {
-                FileUtils.deleteQuietly(gzip);
-            }
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java

@@ -93,7 +93,7 @@ public class NvdCve12Handler extends DefaultHandler {
             skip = "1".equals(reject);
             if (!skip) {
                 vulnerability = attributes.getValue("name");
-                software = new ArrayList<VulnerableSoftware>();
+                software = new ArrayList<>();
             } else {
                 vulnerability = null;
                 software = null;
@@ -132,7 +132,7 @@ public class NvdCve12Handler extends DefaultHandler {
             if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
                 throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
             }
-            vulnerabilities = new HashMap<String, List<VulnerableSoftware>>();
+            vulnerabilities = new HashMap<>();
         }
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java

@@ -33,6 +33,8 @@ import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.helpers.DefaultHandler;
 
+import static org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler.AttributeValues.*;
+
 /**
  * A SAX Handler that will parse the NVD CVE XML (schema version 2.0).
  *
@@ -48,6 +50,19 @@ public class NvdCve20Handler extends DefaultHandler {
      * the current supported schema version.
      */
     private static final String CURRENT_SCHEMA_VERSION = "2.0";
+    /**
+     * a possible attribute value of the {@link AttributeValues#XML_LANG}
+     * attribute
+     */
+    private static final String EN = "en";
+    /**
+     * the prefix of the node text of a CPE
+     */
+    private static final String CPE_NODE_TEXT_PREFIX = "cpe:/a:";
+    /**
+     * the node text of an entry marked for deletion
+     */
+    private static final String REJECT_NODE_TEXT = "** REJECT **";
     /**
      * the current element.
      */
@@ -73,6 +88,21 @@ public class NvdCve20Handler extends DefaultHandler {
      */
     private int totalNumberOfEntries;
 
+    /**
+     * The total number of application entries parsed.
+     */
+    private int totalNumberOfApplicationEntries;
+    /**
+     * the cve database.
+     */
+    private CveDB cveDB;
+
+    /**
+     * A list of CVE entries and associated VulnerableSoftware entries that
+     * contain previous entries.
+     */
+    private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
+
     /**
      * Get the value of totalNumberOfEntries.
      *
@@ -81,10 +111,6 @@ public class NvdCve20Handler extends DefaultHandler {
     public int getTotalNumberOfEntries() {
         return totalNumberOfEntries;
     }
-    /**
-     * The total number of application entries parsed.
-     */
-    private int totalNumberOfApplicationEntries;
 
     /**
      * Get the value of totalNumberOfApplicationEntries.
@@ -101,30 +127,30 @@ public class NvdCve20Handler extends DefaultHandler {
         if (current.isEntryNode()) {
             hasApplicationCpe = false;
             vulnerability = new Vulnerability();
-            vulnerability.setName(attributes.getValue("id"));
+            vulnerability.setName(attributes.getValue(ID));
         } else if (current.isVulnProductNode()) {
             nodeText = new StringBuilder(100);
         } else if (current.isVulnReferencesNode()) {
-            final String lang = attributes.getValue("xml:lang");
-            if ("en".equals(lang)) {
+            final String lang = attributes.getValue(XML_LANG);
+            if (EN.equals(lang)) {
                 reference = new Reference();
             } else {
                 reference = null;
             }
         } else if (reference != null && current.isVulnReferenceNode()) {
-            reference.setUrl(attributes.getValue("href"));
+            reference.setUrl(attributes.getValue(HREF));
             nodeText = new StringBuilder(130);
         } else if (reference != null && current.isVulnSourceNode()) {
             nodeText = new StringBuilder(30);
         } else if (current.isVulnSummaryNode()) {
             nodeText = new StringBuilder(500);
         } else if (current.isNVDNode()) {
-            final String nvdVer = attributes.getValue("nvd_xml_version");
+            final String nvdVer = attributes.getValue(NVD_XML_VERSION);
             if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
                 throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
             }
         } else if (current.isVulnCWENode()) {
-            vulnerability.setCwe(attributes.getValue("id"));
+            vulnerability.setCwe(attributes.getValue(ID));
         } else if (current.isCVSSScoreNode()) {
             nodeText = new StringBuilder(5);
         } else if (current.isCVSSAccessVectorNode()) {
@@ -158,9 +184,7 @@ public class NvdCve20Handler extends DefaultHandler {
                 totalNumberOfApplicationEntries += 1;
                 try {
                     saveEntry(vulnerability);
-                } catch (DatabaseException ex) {
-                    throw new SAXException(ex);
-                } catch (CorruptIndexException ex) {
+                } catch (DatabaseException | CorruptIndexException ex) {
                     throw new SAXException(ex);
                 } catch (IOException ex) {
                     throw new SAXException(ex);
@@ -196,7 +220,7 @@ public class NvdCve20Handler extends DefaultHandler {
             nodeText = null;
         } else if (current.isVulnProductNode()) {
             final String cpe = nodeText.toString();
-            if (cpe.startsWith("cpe:/a:")) {
+            if (cpe.startsWith(CPE_NODE_TEXT_PREFIX)) {
                 hasApplicationCpe = true;
                 vulnerability.addVulnerableSoftware(cpe);
             }
@@ -212,16 +236,12 @@ public class NvdCve20Handler extends DefaultHandler {
             nodeText = null;
         } else if (current.isVulnSummaryNode()) {
             vulnerability.setDescription(nodeText.toString());
-            if (nodeText.indexOf("** REJECT **") >= 0) {
+            if (nodeText.indexOf(REJECT_NODE_TEXT) >= 0) {
                 hasApplicationCpe = true; //ensure we process this to delete the vuln
             }
             nodeText = null;
         }
     }
-    /**
-     * the cve database.
-     */
-    private CveDB cveDB;
 
     /**
      * Sets the cveDB.
@@ -231,15 +251,12 @@ public class NvdCve20Handler extends DefaultHandler {
     public void setCveDB(CveDB db) {
         cveDB = db;
     }
-    /**
-     * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries.
-     */
-    private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
 
     /**
      * Sets the prevVersionVulnMap.
      *
-     * @param map the map of vulnerable software with previous versions being vulnerable
+     * @param map the map of vulnerable software with previous versions being
+     * vulnerable
      */
     public void setPrevVersionVulnMap(Map<String, List<VulnerableSoftware>> map) {
         prevVersionVulnMap = map;
@@ -249,7 +266,8 @@ public class NvdCve20Handler extends DefaultHandler {
      * Saves a vulnerability to the CVE Database.
      *
      * @param vuln the vulnerability to store in the database
-     * @throws DatabaseException thrown if there is an error writing to the database
+     * @throws DatabaseException thrown if there is an error writing to the
+     * database
      * @throws CorruptIndexException is thrown if the CPE Index is corrupt
      * @throws IOException thrown if there is an IOException with the CPE Index
      */
@@ -268,7 +286,8 @@ public class NvdCve20Handler extends DefaultHandler {
 
     // <editor-fold defaultstate="collapsed" desc="The Element Class that maintains state information about the current node">
     /**
-     * A simple class to maintain information about the current element while parsing the NVD CVE XML.
+     * A simple class to maintain information about the current element while
+     * parsing the NVD CVE XML.
      */
     protected static class Element {
 
@@ -491,4 +510,28 @@ public class NvdCve20Handler extends DefaultHandler {
         }
     }
     // </editor-fold>
+
+    /**
+     * A simple class to maintain information about the attribute values
+     * encountered while parsing the NVD CVE XML.
+     */
+    protected static class AttributeValues {
+
+        /**
+         * An attribute in the NVD CVE Schema 2.0
+         */
+        protected static final String ID = "id";
+        /**
+         * An attribute in the NVD CVE Schema 2.0
+         */
+        protected static final String XML_LANG = "xml:lang";
+        /**
+         * An attribute in the NVD CVE Schema 2.0
+         */
+        protected static final String HREF = "href";
+        /**
+         * An attribute in the NVD CVE Schema 2.0
+         */
+        protected static final String NVD_XML_VERSION = "nvd_xml_version";
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java

@@ -18,7 +18,6 @@
 package org.owasp.dependencycheck.data.update.nvd;
 
 import java.io.File;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
@@ -26,19 +25,20 @@ import java.util.Map;
 import java.util.concurrent.Callable;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.XmlUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 
 /**
- * A callable task that will process a given set of NVD CVE xml files and update the Cve Database accordingly.
+ * A callable task that will process a given set of NVD CVE xml files and update
+ * the Cve Database accordingly.
  *
  * @author Jeremy Long
  */
@@ -91,9 +91,11 @@ public class ProcessTask implements Callable<ProcessTask> {
      * Constructs a new ProcessTask used to process an NVD CVE update.
      *
      * @param cveDB the data store object
-     * @param filePair the download task that contains the URL references to download
-     * @param settings a reference to the global settings object; this is necessary so that when the thread is started the
-     * dependencies have a correct reference to the global settings.
+     * @param filePair the download task that contains the URL references to
+     * download
+     * @param settings a reference to the global settings object; this is
+     * necessary so that when the thread is started the dependencies have a
+     * correct reference to the global settings.
      */
     public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
         this.cveDB = cveDB;
@@ -106,8 +108,8 @@ public class ProcessTask implements Callable<ProcessTask> {
      * Implements the callable interface.
      *
      * @return this object
-     * @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks exception
-     * collection
+     * @throws Exception thrown if there is an exception; note that any
+     * UpdateExceptions are simply added to the tasks exception collection
      */
     @Override
     public ProcessTask call() throws Exception {
@@ -127,18 +129,19 @@ public class ProcessTask implements Callable<ProcessTask> {
      *
      * @param file the file containing the NVD CVE XML
      * @param oldVersion contains the file containing the NVD CVE XML 1.2
-     * @throws ParserConfigurationException is thrown if there is a parser configuration exception
+     * @throws ParserConfigurationException is thrown if there is a parser
+     * configuration exception
      * @throws SAXException is thrown if there is a SAXException
      * @throws IOException is thrown if there is a IO Exception
      * @throws SQLException is thrown if there is a SQL exception
      * @throws DatabaseException is thrown if there is a database exception
-     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be
+     * loaded
      */
     protected void importXML(File file, File oldVersion) throws ParserConfigurationException,
             SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
 
-        final SAXParserFactory factory = SAXParserFactory.newInstance();
-        final SAXParser saxParser = factory.newSAXParser();
+        final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
 
         final NvdCve12Handler cve12Handler = new NvdCve12Handler();
         saxParser.parse(oldVersion, cve12Handler);
@@ -153,7 +156,8 @@ public class ProcessTask implements Callable<ProcessTask> {
     /**
      * Processes the NVD CVE XML file and imports the data into the DB.
      *
-     * @throws UpdateException thrown if there is an error loading the data into the database
+     * @throws UpdateException thrown if there is an error loading the data into
+     * the database
      */
     private void processFiles() throws UpdateException {
         LOGGER.info("Processing Started for NVD CVE - {}", filePair.getNvdCveInfo().getId());
@@ -162,19 +166,7 @@ public class ProcessTask implements Callable<ProcessTask> {
             importXML(filePair.getFirst(), filePair.getSecond());
             cveDB.commit();
             properties.save(filePair.getNvdCveInfo());
-        } catch (FileNotFoundException ex) {
-            throw new UpdateException(ex);
-        } catch (ParserConfigurationException ex) {
-            throw new UpdateException(ex);
-        } catch (SAXException ex) {
-            throw new UpdateException(ex);
-        } catch (IOException ex) {
-            throw new UpdateException(ex);
-        } catch (SQLException ex) {
-            throw new UpdateException(ex);
-        } catch (DatabaseException ex) {
-            throw new UpdateException(ex);
-        } catch (ClassNotFoundException ex) {
+        } catch (ParserConfigurationException | SAXException | SQLException | DatabaseException | ClassNotFoundException | IOException ex) {
             throw new UpdateException(ex);
         } finally {
             filePair.cleanup();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java

@@ -17,14 +17,10 @@
  */
 package org.owasp.dependencycheck.data.update.nvd;
 
-import java.net.MalformedURLException;
-import java.net.URL;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.TreeMap;
-import org.owasp.dependencycheck.utils.DownloadFailedException;
-import org.owasp.dependencycheck.utils.Downloader;
 
 /**
  * Contains a collection of updateable NvdCveInfo objects. This is used to determine which files need to be downloaded and
@@ -37,7 +33,7 @@ public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveIn
     /**
      * A collection of sources of data.
      */
-    private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
+    private final Map<String, NvdCveInfo> collection = new TreeMap<>();
 
     /**
      * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.
@@ -68,30 +64,16 @@ public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveIn
      * @param id the key for the item to be added
      * @param url the URL to download the item
      * @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we need).
-     * @throws MalformedURLException thrown if the URL provided is invalid
-     * @throws DownloadFailedException thrown if the download fails.
-     */
-    public void add(String id, String url, String oldUrl) throws MalformedURLException, DownloadFailedException {
-        add(id, url, oldUrl, false);
-    }
-
-    /**
-     * Adds a new entry of updateable information to the contained collection.
-     *
-     * @param id the key for the item to be added
-     * @param url the URL to download the item
-     * @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we need).
+     * @param timestamp the last modified date of the downloaded item
      * @param needsUpdate whether or not the data needs to be updated
-     * @throws MalformedURLException thrown if the URL provided is invalid
-     * @throws DownloadFailedException thrown if the download fails.
      */
-    public void add(String id, String url, String oldUrl, boolean needsUpdate) throws MalformedURLException, DownloadFailedException {
+    public void add(String id, String url, String oldUrl, long timestamp, boolean needsUpdate) {
         final NvdCveInfo item = new NvdCveInfo();
         item.setNeedsUpdate(needsUpdate); //the others default to true, to make life easier later this should default to false.
         item.setId(id);
         item.setUrl(url);
         item.setOldSchemaVersionUrl(oldUrl);
-        item.setTimestamp(Downloader.getLastModified(new URL(url)));
+        item.setTimestamp(timestamp);
         collection.put(id, item);
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -73,30 +73,10 @@ public class Dependency implements Serializable, Comparable<Dependency> {
      * The file name of the dependency.
      */
     private String fileName;
-
     /**
      * The package path.
      */
     private String packagePath;
-
-    /**
-     * Returns the package path.
-     *
-     * @return the package path
-     */
-    public String getPackagePath() {
-        return packagePath;
-    }
-
-    /**
-     * Sets the package path.
-     *
-     * @param packagePath the package path
-     */
-    public void setPackagePath(String packagePath) {
-        this.packagePath = packagePath;
-    }
-
     /**
      * The md5 hash of the dependency.
      */
@@ -121,6 +101,60 @@ public class Dependency implements Serializable, Comparable<Dependency> {
      * A collection of version evidence.
      */
     private final EvidenceCollection versionEvidence;
+    /**
+     * The file name to display in reports.
+     */
+    private String displayName = null;
+    /**
+     * A set of identifiers that have been suppressed.
+     */
+    private Set<Identifier> suppressedIdentifiers;
+    /**
+     * A set of vulnerabilities that have been suppressed.
+     */
+    private SortedSet<Vulnerability> suppressedVulnerabilities;
+    /**
+     * The description of the JAR file.
+     */
+    private String description;
+    /**
+     * The license that this dependency uses.
+     */
+    private String license;
+    /**
+     * A list of vulnerabilities for this dependency.
+     */
+    private SortedSet<Vulnerability> vulnerabilities;
+    /**
+     * A collection of related dependencies.
+     */
+    private Set<Dependency> relatedDependencies = new TreeSet<>();
+    /**
+     * A list of projects that reference this dependency.
+     */
+    private Set<String> projectReferences = new HashSet<>();
+    /**
+     * A list of available versions.
+     */
+    private List<String> availableVersions = new ArrayList<>();
+
+    /**
+     * Returns the package path.
+     *
+     * @return the package path
+     */
+    public String getPackagePath() {
+        return packagePath;
+    }
+
+    /**
+     * Sets the package path.
+     *
+     * @param packagePath the package path
+     */
+    public void setPackagePath(String packagePath) {
+        this.packagePath = packagePath;
+    }
 
     /**
      * Constructs a new Dependency object.
@@ -129,10 +163,10 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         vendorEvidence = new EvidenceCollection();
         productEvidence = new EvidenceCollection();
         versionEvidence = new EvidenceCollection();
-        identifiers = new TreeSet<Identifier>();
-        vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
-        suppressedIdentifiers = new TreeSet<Identifier>();
-        suppressedVulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
+        identifiers = new TreeSet<>();
+        vulnerabilities = new TreeSet<>(new VulnerabilityComparator());
+        suppressedIdentifiers = new TreeSet<>();
+        suppressedVulnerabilities = new TreeSet<>(new VulnerabilityComparator());
     }
 
     /**
@@ -222,11 +256,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.filePath = filePath;
     }
 
-    /**
-     * The file name to display in reports.
-     */
-    private String displayName = null;
-
     /**
      * Sets the file name to display in reports.
      *
@@ -392,11 +421,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.identifiers.add(identifier);
     }
 
-    /**
-     * A set of identifiers that have been suppressed.
-     */
-    private Set<Identifier> suppressedIdentifiers;
-
     /**
      * Get the value of suppressedIdentifiers.
      *
@@ -424,11 +448,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.suppressedIdentifiers.add(identifier);
     }
 
-    /**
-     * A set of vulnerabilities that have been suppressed.
-     */
-    private SortedSet<Vulnerability> suppressedVulnerabilities;
-
     /**
      * Get the value of suppressedVulnerabilities.
      *
@@ -510,11 +529,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         return this.versionEvidence;
     }
 
-    /**
-     * The description of the JAR file.
-     */
-    private String description;
-
     /**
      * Get the value of description.
      *
@@ -533,11 +547,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.description = description;
     }
 
-    /**
-     * The license that this dependency uses.
-     */
-    private String license;
-
     /**
      * Get the value of license.
      *
@@ -556,11 +565,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.license = license;
     }
 
-    /**
-     * A list of vulnerabilities for this dependency.
-     */
-    private SortedSet<Vulnerability> vulnerabilities;
-
     /**
      * Get the list of vulnerabilities.
      *
@@ -594,7 +598,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
             LOGGER.warn("Unable to read '{}' to determine hashes.", file.getName());
             LOGGER.debug("", ex);
         } catch (NoSuchAlgorithmException ex) {
-            LOGGER.warn("Unable to use MD5 of SHA1 checksums.");
+            LOGGER.warn("Unable to use MD5 or SHA1 checksums.");
             LOGGER.debug("", ex);
         }
         this.setMd5sum(md5);
@@ -610,11 +614,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.vulnerabilities.add(vulnerability);
     }
 
-    /**
-     * A collection of related dependencies.
-     */
-    private Set<Dependency> relatedDependencies = new TreeSet<Dependency>();
-
     /**
      * Get the value of {@link #relatedDependencies}. This field is used to
      * collect other dependencies which really represent the same dependency,
@@ -626,11 +625,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         return relatedDependencies;
     }
 
-    /**
-     * A list of projects that reference this dependency.
-     */
-    private Set<String> projectReferences = new HashSet<String>();
-
     /**
      * Get the value of projectReferences.
      *
@@ -698,11 +692,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         }
     }
 
-    /**
-     * A list of available versions.
-     */
-    private List<String> availableVersions = new ArrayList<String>();
-
     /**
      * Get the value of availableVersions.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java

@@ -127,9 +127,11 @@ public class Evidence implements Serializable, Comparable<Evidence> {
     }
 
     /**
-     * Get the value of value. If setUsed is set to false this call to get will not mark the evidence as used.
+     * Get the value of value. If setUsed is set to false this call to get will
+     * not mark the evidence as used.
      *
-     * @param setUsed whether or not this call to getValue should cause the used flag to be updated
+     * @param setUsed whether or not this call to getValue should cause the used
+     * flag to be updated
      * @return the value of value
      */
     public String getValue(Boolean setUsed) {
@@ -213,6 +215,7 @@ public class Evidence implements Serializable, Comparable<Evidence> {
      * @param that an object to check the equality of.
      * @return whether the two objects are equal.
      */
+    @SuppressWarnings("deprecation")
     @Override
     public boolean equals(Object that) {
         if (this == that) {
@@ -223,6 +226,8 @@ public class Evidence implements Serializable, Comparable<Evidence> {
         }
         final Evidence e = (Evidence) that;
 
+        //TODO the call to ObjectUtils.equals needs to be replaced when we
+        //stop supporting Jenkins 1.6 requirement.
         return StringUtils.equalsIgnoreCase(name, e.name)
                 && StringUtils.equalsIgnoreCase(source, e.source)
                 && StringUtils.equalsIgnoreCase(value, e.value)
@@ -235,6 +240,7 @@ public class Evidence implements Serializable, Comparable<Evidence> {
      * @param o the evidence being compared
      * @return an integer indicating the ordering of the two objects
      */
+    @SuppressWarnings("deprecation")
     @Override
     public int compareTo(Evidence o) {
         if (o == null) {
@@ -243,6 +249,8 @@ public class Evidence implements Serializable, Comparable<Evidence> {
         if (StringUtils.equalsIgnoreCase(source, o.source)) {
             if (StringUtils.equalsIgnoreCase(name, o.name)) {
                 if (StringUtils.equalsIgnoreCase(value, o.value)) {
+                    //TODO the call to ObjectUtils.equals needs to be replaced when we
+                    //stop supporting Jenkins 1.6 requirement.
                     if (ObjectUtils.equals(confidence, o.confidence)) {
                         return 0; //they are equal
                     } else {
@@ -260,8 +268,9 @@ public class Evidence implements Serializable, Comparable<Evidence> {
     }
 
     /**
-     * Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an
-     * exhaustive, possibly duplicative, check against nulls.
+     * Wrapper around
+     * {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase}
+     * with an exhaustive, possibly duplicative, check against nulls.
      *
      * @param me the value to be compared
      * @param other the other value to be compared
@@ -271,9 +280,9 @@ public class Evidence implements Serializable, Comparable<Evidence> {
         if (me == null && other == null) {
             return 0;
         } else if (me == null) {
-            return -1; //the other string is greater then me
+            return -1; //the other string is greater than me
         } else if (other == null) {
-            return 1; //me is greater then the other string
+            return 1; //me is greater than the other string
         }
         return me.compareToIgnoreCase(other);
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -48,7 +48,17 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(EvidenceCollection.class);
     /**
-     * Used to iterate over highest confidence evidence contained in the collection.
+     * A collection of evidence.
+     */
+    private final Set<Evidence> list;
+    /**
+     * A collection of strings used to adjust Lucene's term weighting.
+     */
+    private final Set<String> weightedStrings;
+
+    /**
+     * Used to iterate over highest confidence evidence contained in the
+     * collection.
      */
     private static final Filter<Evidence> HIGHEST_CONFIDENCE = new Filter<Evidence>() {
         @Override
@@ -57,7 +67,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over high confidence evidence contained in the collection.
+     * Used to iterate over high confidence evidence contained in the
+     * collection.
      */
     private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() {
         @Override
@@ -66,7 +77,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over medium confidence evidence contained in the collection.
+     * Used to iterate over medium confidence evidence contained in the
+     * collection.
      */
     private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() {
         @Override
@@ -84,7 +96,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over evidence that has was used (aka read) from the collection.
+     * Used to iterate over evidence that has was used (aka read) from the
+     * collection.
      */
     private static final Filter<Evidence> EVIDENCE_USED = new Filter<Evidence>() {
         @Override
@@ -96,35 +109,32 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     /**
      * Used to iterate over evidence of the specified confidence.
      *
-     * @param confidence the confidence level for the evidence to be iterated over.
+     * @param confidence the confidence level for the evidence to be iterated
+     * over.
      * @return Iterable&lt;Evidence&gt; an iterable collection of evidence
      */
     public final Iterable<Evidence> iterator(Confidence confidence) {
-        if (confidence == Confidence.HIGHEST) {
+        if (null != confidence) {
+            switch (confidence) {
+                case HIGHEST:
                     return EvidenceCollection.HIGHEST_CONFIDENCE.filter(this.list);
-        } else if (confidence == Confidence.HIGH) {
+                case HIGH:
                     return EvidenceCollection.HIGH_CONFIDENCE.filter(this.list);
-        } else if (confidence == Confidence.MEDIUM) {
+                case MEDIUM:
                     return EvidenceCollection.MEDIUM_CONFIDENCE.filter(this.list);
-        } else {
+                default:
                     return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
             }
         }
-    /**
-     * A collection of evidence.
-     */
-    private final Set<Evidence> list;
-    /**
-     * A collection of strings used to adjust Lucene's term weighting.
-     */
-    private final Set<String> weightedStrings;
+        return null;
+    }
 
     /**
      * Creates a new EvidenceCollection.
      */
     public EvidenceCollection() {
-        list = new TreeSet<Evidence>();
-        weightedStrings = new HashSet<String>();
+        list = new TreeSet<>();
+        weightedStrings = new HashSet<>();
     }
 
     /**
@@ -137,7 +147,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Creates an Evidence object from the parameters and adds the resulting object to the collection.
+     * Creates an Evidence object from the parameters and adds the resulting
+     * object to the collection.
      *
      * @param source the source of the Evidence.
      * @param name the name of the Evidence.
@@ -150,12 +161,16 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way
-     * of combining evidence from multiple sources to boost the confidence of the given evidence.
+     * Adds term to the weighting collection. The terms added here are used
+     * later to boost the score of other terms. This is a way of combining
+     * evidence from multiple sources to boost the confidence of the given
+     * evidence.
      *
-     * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package
-     * names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the
-     * Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted
+     * Example: The term 'Apache' is found in the manifest of a JAR and is added
+     * to the Collection. When we parse the package names within the JAR file we
+     * may add these package names to the "weighted" strings collection to boost
+     * the score in the Lucene query. That way when we construct the Lucene
+     * query we find the term Apache in the collection AND in the weighted
      * strings; as such, we will boost the confidence of the term Apache.
      *
      * @param str to add to the weighting collection.
@@ -165,8 +180,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
-     * location.
+     * Returns a set of Weightings - a list of terms that are believed to be of
+     * higher confidence when also found in another location.
      *
      * @return Set&lt;String&gt;
      */
@@ -193,7 +208,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         if (source == null) {
             return null;
         }
-        final Set<Evidence> ret = new HashSet<Evidence>();
+        final Set<Evidence> ret = new HashSet<>();
         for (Evidence e : list) {
             if (source.equals(e.getSource())) {
                 ret.add(e);
@@ -213,7 +228,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         if (source == null || name == null) {
             return null;
         }
-        final Set<Evidence> ret = new HashSet<Evidence>();
+        final Set<Evidence> ret = new HashSet<>();
         for (Evidence e : list) {
             if (source.equals(e.getSource()) && name.equals(e.getName())) {
                 ret.add(e);
@@ -255,7 +270,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Used to determine if a given version was used (aka read) from the EvidenceCollection.
+     * Used to determine if a given version was used (aka read) from the
+     * EvidenceCollection.
      *
      * @param version the version to search for within the collected evidence.
      * @return whether or not the string was used.
@@ -275,7 +291,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Returns whether or not the collection contains evidence of a specified Confidence.
+     * Returns whether or not the collection contains evidence of a specified
+     * Confidence.
      *
      * @param confidence A Confidence value.
      * @return boolean.
@@ -290,7 +307,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Merges multiple EvidenceCollections together, only merging evidence that was used, into a new EvidenceCollection.
+     * Merges multiple EvidenceCollections together, only merging evidence that
+     * was used, into a new EvidenceCollection.
      *
      * @param ec One or more EvidenceCollections.
      * @return a new EvidenceCollection containing the used evidence.
@@ -323,13 +341,15 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Merges multiple EvidenceCollections together; flattening all of the evidence items by removing the confidence.
+     * Merges multiple EvidenceCollections together; flattening all of the
+     * evidence items by removing the confidence.
      *
      * @param ec One or more EvidenceCollections
-     * @return new set of evidence resulting from merging the evidence in the collections
+     * @return new set of evidence resulting from merging the evidence in the
+     * collections
      */
     public static Set<Evidence> mergeForDisplay(EvidenceCollection... ec) {
-        final Set<Evidence> ret = new TreeSet<Evidence>();
+        final Set<Evidence> ret = new TreeSet<>();
         for (EvidenceCollection col : ec) {
             for (Evidence e : col) {
                 //if (e.isUsed()) {
@@ -367,18 +387,20 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
 
     /**
      * <p>
-     * Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the
-     * protocol, the sub-domain of 'www', and the file extension of the path.</p>
+     * Takes a string that may contain a fully qualified domain and it will
+     * return the string having removed the query string, the protocol, the
+     * sub-domain of 'www', and the file extension of the path.</p>
      * <p>
-     * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc.
-     * may produce false positives.
+     * This is useful for checking if the evidence contains a specific string.
+     * The presence of the protocol, file extension, etc. may produce false
+     * positives.
      *
      * <p>
      * Example, given the following input:</p>
-     * <code>'Please visit https://www.somedomain.com/path1/path2/file.php?id=439'</code>
+     * <code>'Please visit https://www.owasp.com/path1/path2/file.php?id=439'</code>
      * <p>
      * The function would return:</p>
-     * <code>'Please visit somedomain path1 path2 file'</code>
+     * <code>'Please visit owasp path1 path2 file'</code>
      *
      * @param value the value that may contain a url
      * @return the modified string

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java

@@ -20,21 +20,161 @@ package org.owasp.dependencycheck.dependency;
 import java.io.Serializable;
 
 /**
+ * In identifier such as a CPE or dependency coordinates (i.e. GAV).
  *
  * @author Jeremy Long
  */
 public class Identifier implements Serializable, Comparable<Identifier> {
 
+    //<editor-fold defaultstate="collapsed" desc="fields">
     /**
      * The serial version UID for serialization.
      */
     private static final long serialVersionUID = 1L;
+    /**
+     * The confidence that this is the correct identifier.
+     */
+    private Confidence confidence;
+    /**
+     * The value of the identifier
+     */
+    private String value;
+    /**
+     * The url for the identifier.
+     */
+    private String url;
+    /**
+     * The type of the identifier.
+     */
+    private String type;
+    /**
+     * A description of the identifier.
+     */
+    private String description;
+    /**
+     * Notes about the vulnerability. Generally used for suppression
+     * information.
+     */
+    private String notes;
+    //</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="getters/setters">
+    /**
+     * Get the value of confidence.
+     *
+     * @return the value of confidence
+     */
+    public Confidence getConfidence() {
+        return confidence;
+    }
 
     /**
-     * Default constructor. Should only be used for automatic class
-     * creation as is the case with many XML parsers (for the parsing
-     * of the Dependency-Check XML report). For all other use-cases,
-     * please use the non-default constructors.
+     * Set the value of confidence.
+     *
+     * @param confidence new value of confidence
+     */
+    public void setConfidence(Confidence confidence) {
+        this.confidence = confidence;
+    }
+
+    /**
+     * Get the value of value.
+     *
+     * @return the value of value
+     */
+    public String getValue() {
+        return value;
+    }
+
+    /**
+     * Set the value of value.
+     *
+     * @param value new value of value
+     */
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    /**
+     * Get the value of url.
+     *
+     * @return the value of url
+     */
+    public String getUrl() {
+        return url;
+    }
+
+    /**
+     * Set the value of url.
+     *
+     * @param url new value of url
+     */
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    /**
+     * Get the value of type.
+     *
+     * @return the value of type
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * <p>
+     * Set the value of type.</p><p>
+     * Example would be "CPE".</p>
+     *
+     * @param type new value of type
+     */
+    public void setType(String type) {
+        this.type = type;
+    }
+
+    /**
+     * Get the value of description.
+     *
+     * @return the value of description
+     */
+    public String getDescription() {
+        return description;
+    }
+
+    /**
+     * Set the value of description.
+     *
+     * @param description new value of description
+     */
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    /**
+     * Get the value of notes from suppression notes.
+     *
+     * @return the value of notes
+     */
+    public String getNotes() {
+        return notes;
+    }
+
+    /**
+     * Set the value of notes.
+     *
+     * @param notes new value of notes
+     */
+    public void setNotes(String notes) {
+        this.notes = notes;
+    }
+    //</editor-fold>
+
+    /**
+     * Default constructor. Should only be used for automatic class creation as
+     * is the case with many XML parsers (for the parsing of the
+     * Dependency-Check XML report). For all other use-cases, please use the
+     * non-default constructors.
      */
     public Identifier() {
     }
@@ -65,120 +205,6 @@ public class Identifier implements Serializable, Comparable<Identifier> {
         this.description = description;
     }
 
-    /**
-     * The confidence that this is the correct identifier.
-     */
-    private Confidence confidence;
-
-    /**
-     * Get the value of confidence.
-     *
-     * @return the value of confidence
-     */
-    public Confidence getConfidence() {
-        return confidence;
-    }
-
-    /**
-     * Set the value of confidence.
-     *
-     * @param confidence new value of confidence
-     */
-    public void setConfidence(Confidence confidence) {
-        this.confidence = confidence;
-    }
-
-    /**
-     * The value of the identifier
-     */
-    private String value;
-
-    /**
-     * Get the value of value.
-     *
-     * @return the value of value
-     */
-    public String getValue() {
-        return value;
-    }
-
-    /**
-     * Set the value of value.
-     *
-     * @param value new value of value
-     */
-    public void setValue(String value) {
-        this.value = value;
-    }
-    /**
-     * The url for the identifier.
-     */
-    private String url;
-
-    /**
-     * Get the value of url.
-     *
-     * @return the value of url
-     */
-    public String getUrl() {
-        return url;
-    }
-
-    /**
-     * Set the value of url.
-     *
-     * @param url new value of url
-     */
-    public void setUrl(String url) {
-        this.url = url;
-    }
-    /**
-     * The type of the identifier.
-     */
-    private String type;
-
-    /**
-     * Get the value of type.
-     *
-     * @return the value of type
-     */
-    public String getType() {
-        return type;
-    }
-
-    /**
-     * <p>
-     * Set the value of type.</p><p>
-     * Example would be "CPE".</p>
-     *
-     * @param type new value of type
-     */
-    public void setType(String type) {
-        this.type = type;
-    }
-    /**
-     * A description of the identifier.
-     */
-    private String description;
-
-    /**
-     * Get the value of description.
-     *
-     * @return the value of description
-     */
-    public String getDescription() {
-        return description;
-    }
-
-    /**
-     * Set the value of description.
-     *
-     * @param description new value of description
-     */
-    public void setDescription(String description) {
-        this.description = description;
-    }
-
     @Override
     public boolean equals(Object obj) {
         if (obj == null) {
@@ -191,10 +217,7 @@ public class Identifier implements Serializable, Comparable<Identifier> {
         if ((this.value == null) ? (other.value != null) : !this.value.equals(other.value)) {
             return false;
         }
-        if ((this.type == null) ? (other.type != null) : !this.type.equals(other.type)) {
-            return false;
-        }
-        return true;
+        return !((this.type == null) ? (other.type != null) : !this.type.equals(other.type));
     }
 
     @Override
@@ -216,7 +239,8 @@ public class Identifier implements Serializable, Comparable<Identifier> {
     }
 
     /**
-     * Implementation of the comparator interface. This compares the value of the identifier only.
+     * Implementation of the comparator interface. This compares the value of
+     * the identifier only.
      *
      * @param o the object being compared
      * @return an integer indicating the ordering