Merge branch 'main' into scratch/paths

Author: jeremylong

.github/workflows/false-positive-approvals.yml

@@ -151,7 +151,7 @@ jobs:
             } 
       - name: Publish Updated Suppressions
         if: ${{ steps.fp-ops-commit.outputs.publish == 'true' }}
-        uses: JamesIves/[email protected].2
+        uses: JamesIves/[email protected].3
         with:
           branch: gh-pages
           folder: suppressions

.github/workflows/release.yml

@@ -255,7 +255,7 @@ jobs:
         run: ls -R
         working-directory: target
       - name: Deploy gh-pages
-        uses: JamesIves/[email protected].2
+        uses: JamesIves/[email protected].3
         with:
           branch: gh-pages
           folder: target/staging

core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java

@@ -87,7 +87,7 @@ public Void call() {
             try {
                 analyzer.analyze(dependency, engine);
             } catch (AnalysisException ex) {
-                LOGGER.warn("An error occurred while analyzing '{}' ({}).", dependency.getActualFilePath(), analyzer.getName());
+                LOGGER.warn("An error occurred while analyzing '{}' ({}): {}", dependency.getActualFilePath(), analyzer.getName(), ex.getMessage());
                 LOGGER.debug("", ex);
                 exceptions.add(ex);
             } catch (Throwable ex) {

maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -2703,7 +2703,7 @@ private String[] determineSuppressions() {
     /**
      * Hacky method of muting the noisy logging from JCS
      */
-    private void muteNoisyLoggers() {
+    protected void muteNoisyLoggers() {
         System.setProperty("jcs.logSystem", "slf4j");
         if (!getLog().isDebugEnabled()) {
             Slf4jAdapter.muteLogging(true);

maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java

@@ -67,6 +67,7 @@ public boolean canGenerateReport() {
      */
     @Override
     protected void runCheck() throws MojoExecutionException, MojoFailureException {
+        muteNoisyLoggers();
         try (Engine engine = initializeEngine()) {
             try {
                 if (!engine.getSettings().getBoolean(Settings.KEYS.AUTO_UPDATE)) {

pom.xml

@@ -138,7 +138,7 @@ Copyright (c) 2012 - Jeremy Long
         <maven-surefire-report-plugin.version>3.5.2</maven-surefire-report-plugin.version>
         <jacoco-maven-plugin.version>0.8.12</jacoco-maven-plugin.version>
         <spotbugs.version>4.9.1</spotbugs.version>
-        <spotbugs.maven.plugin.version>4.8.6.6</spotbugs.maven.plugin.version>
+        <spotbugs.maven.plugin.version>4.9.1.0</spotbugs.maven.plugin.version>
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
         <jetbrains.annotations.version>26.0.2</jetbrains.annotations.version>
@@ -219,12 +219,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-clean-plugin</artifactId>
-                    <version>3.4.0</version>
+                    <version>3.4.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.13.0</version>
+                    <version>3.14.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -23,6 +23,7 @@
 import org.apache.hc.client5.http.auth.Credentials;
 import org.apache.hc.client5.http.auth.CredentialsStore;
 import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
+import org.apache.hc.client5.http.config.ConnectionConfig;
 import org.apache.hc.client5.http.impl.auth.BasicAuthCache;
 import org.apache.hc.client5.http.impl.auth.BasicScheme;
 import org.apache.hc.client5.http.impl.auth.SystemDefaultCredentialsProvider;
@@ -69,6 +70,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
+import java.util.concurrent.TimeUnit;
 
 import static java.lang.String.format;
 
@@ -88,6 +90,11 @@ public final class Downloader {
      */
     private final HttpClientBuilder httpClientBuilderExplicitNoproxy;
 
+    /**
+     * The connectionmanager for HTTP connection pooling shared by the client builders.
+     */
+    private final PoolingHttpClientConnectionManager connectionManager;
+
     /**
      * The Authentication cache for pre-emptive authentication.
      * This gets filled with credentials from the settings in {@link #configure(Settings)}.
@@ -133,7 +140,7 @@ public final class Downloader {
 
     private Downloader() {
         // Singleton class
-        final PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager();
+        connectionManager = new PoolingHttpClientConnectionManager();
         //TODO: ensure proper closure and eviction policy
         httpClientBuilder = HttpClientBuilder.create()
                 .useSystemProperties()
@@ -175,7 +182,17 @@ public static Downloader getInstance() {
      */
     public void configure(Settings settings) throws InvalidSettingException {
         this.settings = settings;
-
+        final long connectionTimeout = settings.getLong(Settings.KEYS.CONNECTION_TIMEOUT, 10_000);
+        // set a conservatively long default timeout to compensate for MITM-proxies that return the (final) bytes only
+        // after all security checks passed
+        final int readTimeout = settings.getInt(Settings.KEYS.CONNECTION_READ_TIMEOUT, 60_000);
+
+        connectionManager.setDefaultConnectionConfig(
+                ConnectionConfig.custom()
+                        .setConnectTimeout(connectionTimeout, TimeUnit.MILLISECONDS)
+                        .setSocketTimeout(readTimeout, TimeUnit.MILLISECONDS)
+                        .build()
+        );
         if (settings.getString(Settings.KEYS.PROXY_SERVER) != null) {
             // Legacy proxy configuration present
             // So don't rely on the system properties for proxy; use the legacy settings configuration

utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -1454,6 +1454,31 @@ public long getLong(@NotNull final String key) throws InvalidSettingException {
         }
     }
 
+    /**
+     * Returns a long value from the properties file. If the value was specified
+     * as a system property or passed in via the -Dprop=value argument - this
+     * method will return the value from the system properties before the values
+     * in the contained configuration file.
+     *
+     * @param key the key to lookup within the properties file
+     * @param defaultValue the default value to return
+     * @return the property from the properties file or the defaultValue if the
+     * property does not exist or cannot be converted to an integer
+     */
+    public long getLong(@NotNull final String key, long defaultValue) {
+        long value;
+        try {
+            value = Long.parseLong(getString(key));
+        } catch (NumberFormatException ex) {
+            if (!getString(key, "").isEmpty()) {
+                LOGGER.debug("Could not convert property '{}={}' to a long; using {} instead.",
+                        key, getPrintableValue(key, getString(key)), defaultValue);
+            }
+            value = defaultValue;
+        }
+        return value;
+    }
+
     /**
      * Returns a boolean value from the properties file. If the value was
      * specified as a system property or passed in via the