dependency-check
diff --git a/‎core/src/main/java/org/owasp/dependencycheck/Engine.java‎
Lines changed: 0 additions & 15 deletions b/‎core/src/main/java/org/owasp/dependencycheck/Engine.java‎
Lines changed: 0 additions & 15 deletions
diff --git a/‎core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java‎
Lines changed: 1 addition & 1 deletion b/‎core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎core/src/main/java/org/owasp/dependencycheck/xml/assembly/GrokParser.java‎
Lines changed: 5 additions & 5 deletions b/‎core/src/main/java/org/owasp/dependencycheck/xml/assembly/GrokParser.java‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java‎
Lines changed: 9 additions & 24 deletions b/‎core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java‎
Lines changed: 9 additions & 24 deletions
diff --git a/‎core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java‎
Lines changed: 2 additions & 4 deletions b/‎core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java‎
Lines changed: 10 additions & 32 deletions b/‎core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java‎
Lines changed: 10 additions & 32 deletions
diff --git a/‎core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java‎
Lines changed: 9 additions & 2 deletions b/‎core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java‎
Lines changed: 10 additions & 10 deletions b/‎core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokHandlerTest.java‎
Lines changed: 17 additions & 17 deletions b/‎core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokHandlerTest.java‎
Lines changed: 17 additions & 17 deletions
@@ -140,14 +140,6 @@ public class Engine implements FileFilter, AutoCloseable {
      * A reference to the database.
      */
     private CveDB database = null;
-    /**
-     * Used to store the value of
-     * System.getProperty("javax.xml.accessExternalSchema") - ODC may change the
-     * value of this system property at runtime. We store the value to reset the
-     * property to its original value.
-     */
-    private final String accessExternalSchema;
-
     /**
      * Creates a new {@link Mode#STANDALONE} Engine.
      *
@@ -188,8 +180,6 @@ public Engine(@NotNull final ClassLoader serviceClassLoader, @NotNull final Mode
         this.settings = settings;
         this.serviceClassLoader = serviceClassLoader;
         this.mode = mode;
-        this.accessExternalSchema = System.getProperty("javax.xml.accessExternalSchema");
-
         initializeEngine();
     }
 
@@ -215,11 +205,6 @@ public void close() {
                 database = null;
             }
         }
-        if (accessExternalSchema != null) {
-            System.setProperty("javax.xml.accessExternalSchema", accessExternalSchema);
-        } else {
-            System.clearProperty("javax.xml.accessExternalSchema");
-        }
         JCS.shutdown();
     }
 
 
@@ -264,7 +264,7 @@ private void loadHostedSuppressionBaseData(final SuppressionParser parser, final
             final URL url = new URL(configuredUrl);
             final String fileName = new File(url.getPath()).getName();
             if (fileName.isBlank()) {
-                throw new IllegalArgumentException("Hosted Suppression URL must imply a filename");
+                throw new IOException("Hosted Suppression URL must imply a filename");
             }
             final File repoFile = new File(getSettings().getDataDirectory(), fileName);
             boolean repoEmpty = !repoFile.isFile() || repoFile.length() <= 1L;
 
@@ -27,9 +27,8 @@
 import java.nio.charset.StandardCharsets;
 import javax.annotation.concurrent.ThreadSafe;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
 
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
@@ -38,6 +37,8 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
+
 /**
  * A simple validating parser for XML Grok Assembly XML files.
  *
@@ -80,10 +81,9 @@ public AssemblyData parse(File file) throws GrokParseException {
      * @throws GrokParseException thrown if the XML cannot be parsed
      */
     public AssemblyData parse(InputStream inputStream) throws GrokParseException {
-        try (InputStream schema = FileUtils.getResourceAsStream(GROK_SCHEMA)) {
+        try (AutoCloseableInputSource schema = fromResource(GROK_SCHEMA)) {
             final GrokHandler handler = new GrokHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schema);
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schema);
             xmlReader.setErrorHandler(new GrokErrorHandler());
             xmlReader.setContentHandler(handler);
             try (Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
 
@@ -28,11 +28,11 @@
 import java.util.List;
 import javax.annotation.concurrent.NotThreadSafe;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
+
 import org.apache.commons.io.ByteOrderMark;
 import org.apache.commons.io.input.BOMInputStream;
 
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
@@ -41,6 +41,8 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
+
 /**
  * A simple validating parser for XML Hint Rules.
  *
@@ -53,21 +55,6 @@ public class HintParser {
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(HintParser.class);
-    /**
-     * JAXP Schema Language. Source:
-     * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
-     */
-    public static final String JAXP_SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage";
-    /**
-     * W3C XML Schema. Source:
-     * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
-     */
-    public static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";
-    /**
-     * JAXP Schema Source. Source:
-     * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
-     */
-    public static final String JAXP_SCHEMA_SOURCE = "http://java.sun.com/xml/jaxp/properties/schemaSource";
 
     /**
      * The schema for the hint XML files.
@@ -142,20 +129,18 @@ public void parseHints(File file) throws HintParseException {
      * @throws SAXException thrown if the XML cannot be parsed
      */
     public void parseHints(InputStream inputStream) throws HintParseException, SAXException {
-        try (
-                InputStream schemaStream14 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_4);
-                InputStream schemaStream13 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_3);
-                InputStream schemaStream12 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_2);
-                InputStream schemaStream11 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_1)) {
+        try (AutoCloseableInputSource schemaStream14 = fromResource(HINT_SCHEMA_1_4);
+             AutoCloseableInputSource schemaStream13 = fromResource(HINT_SCHEMA_1_3);
+             AutoCloseableInputSource schemaStream12 = fromResource(HINT_SCHEMA_1_2);
+             AutoCloseableInputSource schemaStream11 = fromResource(HINT_SCHEMA_1_1)) {
 
             final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(inputStream).get();
             final ByteOrderMark bom = bomStream.getBOM();
             final String defaultEncoding = StandardCharsets.UTF_8.name();
             final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName();
 
             final HintHandler handler = new HintHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream14, schemaStream13, schemaStream12, schemaStream11);
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schemaStream14, schemaStream13, schemaStream12, schemaStream11);
             xmlReader.setErrorHandler(new HintErrorHandler());
             xmlReader.setContentHandler(handler);
             try (Reader reader = new InputStreamReader(bomStream, charsetName)) {
 
@@ -107,8 +107,7 @@ public Model parseWithoutDocTypeCleanup(File file) throws PomParseException {
     public Model parse(InputStream inputStream) throws PomParseException {
         try {
             final PomHandler handler = new PomHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureXmlReader();
             xmlReader.setContentHandler(handler);
 
             final BOMInputStream bomStream = BOMInputStream.builder()
@@ -138,8 +137,7 @@ public Model parse(InputStream inputStream) throws PomParseException {
     public Model parseWithoutDocTypeCleanup(InputStream inputStream) throws PomParseException {
         try {
             final PomHandler handler = new PomHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureXmlReader();
             xmlReader.setContentHandler(handler);
 
             final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(new XmlInputStream(inputStream)).get();
 
@@ -28,20 +28,21 @@
 import java.util.List;
 import javax.annotation.concurrent.ThreadSafe;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
+
 import org.apache.commons.io.ByteOrderMark;
 import org.apache.commons.io.input.BOMInputStream;
 
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
+
 /**
  * A simple validating parser for XML Suppression Rules.
  *
@@ -105,24 +106,21 @@ public List<SuppressionRule> parseSuppressionRules(File file) throws Suppression
      */
     public List<SuppressionRule> parseSuppressionRules(InputStream inputStream)
             throws SuppressionParseException, SAXException {
-        try (
-                InputStream schemaStream14 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_4);
-                InputStream schemaStream13 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_3);
-                InputStream schemaStream12 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_2);
-                InputStream schemaStream11 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_1);
-                InputStream schemaStream10 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_0)) {
+        try (AutoCloseableInputSource schemaStream14 = fromResource(SUPPRESSION_SCHEMA_1_4);
+             AutoCloseableInputSource schemaStream13 = fromResource(SUPPRESSION_SCHEMA_1_3);
+             AutoCloseableInputSource schemaStream12 = fromResource(SUPPRESSION_SCHEMA_1_2);
+             AutoCloseableInputSource schemaStream11 = fromResource(SUPPRESSION_SCHEMA_1_1);
+             AutoCloseableInputSource schemaStream10 = fromResource(SUPPRESSION_SCHEMA_1_0)) {
 
             final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(inputStream).get();
             final ByteOrderMark bom = bomStream.getBOM();
             final String defaultEncoding = StandardCharsets.UTF_8.name();
             final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName();
 
             final SuppressionHandler handler = new SuppressionHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream14, schemaStream13, schemaStream12, schemaStream11, schemaStream10);
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schemaStream14, schemaStream13, schemaStream12, schemaStream11, schemaStream10);
             xmlReader.setErrorHandler(new SuppressionErrorHandler());
             xmlReader.setContentHandler(handler);
-            xmlReader.setEntityResolver(new ClassloaderResolver());
             try (Reader reader = new InputStreamReader(bomStream, charsetName)) {
                 final InputSource in = new InputSource(reader);
                 xmlReader.parse(in);
@@ -141,24 +139,4 @@ public List<SuppressionRule> parseSuppressionRules(InputStream inputStream)
         }
     }
 
-    /**
-     * Load HTTPS schema resources locally from the JAR files resources.
-     */
-    private static class ClassloaderResolver implements EntityResolver {
-
-        @Override
-        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
-
-            if (systemId != null && systemId.startsWith("https://jeremylong.github.io/DependencyCheck/")) {
-                final String resource = "schema/" + systemId.substring(45);
-                final InputStream in = SuppressionParser.class.getClassLoader().getResourceAsStream(resource);
-                if (in != null) {
-                    final InputSource source = new InputSource(in);
-                    source.setSystemId(systemId);
-                    return source;
-                }
-            }
-            return null;
-        }
-    }
 }
@@ -858,9 +858,17 @@ public String toString() {
         return sb.toString();
     }
 
+    /**
+     * Suppression rules are considered equal if all properties except the "notes" and mutual "matched"
+     * status are equal.
+     *
+     * @param o   the reference object with which to compare.
+     * @return whether the object is equals to this one
+     */
     @Override
     public boolean equals(Object o) {
         if (o == null || getClass() != o.getClass()) return false;
+        if (this == o) return true;
         SuppressionRule that = (SuppressionRule) o;
         return base == that.base
                 && Objects.equals(filePath, that.filePath)
@@ -875,12 +883,11 @@ public boolean equals(Object o) {
                 && Objects.equals(vulnerabilityNames, that.vulnerabilityNames)
                 && Objects.equals(gav, that.gav)
                 && Objects.equals(packageUrl, that.packageUrl)
-                && Objects.equals(notes, that.notes)
                 && Objects.equals(until, that.until);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(filePath, sha1, cpe, cvssBelow, cvssV2Below, cvssV3Below, cvssV4Below, cwe, cve, vulnerabilityNames, gav, packageUrl, notes, base, until);
+        return Objects.hash(base, filePath, sha1, cpe, cvssBelow, cvssV2Below, cvssV3Below, cvssV4Below, cwe, cve, vulnerabilityNames, gav, packageUrl, until);
     }
 }
@@ -178,6 +178,16 @@ void testLoadCorePackagedSuppressions() throws Exception {
             assertAllHostedSnapshotSuppressionsAreMarkedAsBase(baseRules);
         }
 
+        private @NonNull List<SuppressionRule> assertAllBaseSuppressionRulesAreMarkedCorrectly() throws InvalidSettingException, InitializationException {
+            getSettings().setBoolean(KEYS.HOSTED_SUPPRESSIONS_ENABLED, false);
+            Engine engine = prepareSuppressions();
+
+            @SuppressWarnings("unchecked") List<SuppressionRule> baseRules = (List<SuppressionRule>) engine.getObject(SUPPRESSION_OBJECT_KEY);
+            assertThat(baseRules, not(empty()));
+            assertThat("Expected all suppressions in base file to be marked as base", allRulesNotMarkedAsBase(baseRules), empty());
+            return baseRules;
+        }
+
         private void assertAllHostedSnapshotSuppressionsAreMarkedAsBase(List<SuppressionRule> baseRules) throws InvalidSettingException, InitializationException {
             getSettings().setBoolean(KEYS.HOSTED_SUPPRESSIONS_ENABLED, true);
             getSettings().setString(KEYS.HOSTED_SUPPRESSIONS_URL, "https://intentionally-bad-url/hosted-suppressions.xml");
@@ -190,16 +200,6 @@ private void assertAllHostedSnapshotSuppressionsAreMarkedAsBase(List<Suppression
             assertThat("Expected all suppressions in hosted suppressions snapshot file to be marked as base", allRulesNotMarkedAsBase(hostedSnapshotRules), empty());
         }
 
-        private @NonNull List<SuppressionRule> assertAllBaseSuppressionRulesAreMarkedCorrectly() throws InvalidSettingException, InitializationException {
-            getSettings().setBoolean(KEYS.HOSTED_SUPPRESSIONS_ENABLED, false);
-            Engine engine = prepareSuppressions();
-
-            @SuppressWarnings("unchecked") List<SuppressionRule> baseRules = (List<SuppressionRule>) engine.getObject(SUPPRESSION_OBJECT_KEY);
-            assertThat(baseRules, not(empty()));
-            assertThat("Expected all suppressions in base file to be marked as base", allRulesNotMarkedAsBase(baseRules), empty());
-            return baseRules;
-        }
-
         private @NonNull List<SuppressionRule> allRulesNotMarkedAsBase(List<SuppressionRule> baseRules) {
             return baseRules.stream().filter(r -> !r.isBase()).collect(Collectors.toList());
         }
 
@@ -19,11 +19,11 @@
 
 import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 import org.xml.sax.InputSource;
 import org.xml.sax.XMLReader;
 
-import javax.xml.parsers.SAXParser;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
@@ -32,6 +32,7 @@
 import java.nio.charset.StandardCharsets;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
 
 /**
  *
@@ -47,24 +48,23 @@ class GrokHandlerTest extends BaseTest {
     @Test
     void testHandler() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "assembly/sample-grok.xml");
-        InputStream schemaStream = BaseTest.getResourceAsStream(this, "schema/grok-assembly.1.0.xsd");
 
-        GrokHandler handler = new GrokHandler();
-        SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
-        XMLReader xmlReader = saxParser.getXMLReader();
-        xmlReader.setErrorHandler(new GrokErrorHandler());
-        xmlReader.setContentHandler(handler);
+        try (AutoCloseableInputSource schema = fromResource("schema/grok-assembly.1.0.xsd")) {
+            GrokHandler handler = new GrokHandler();
+            XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schema);
+            xmlReader.setErrorHandler(new GrokErrorHandler());
+            xmlReader.setContentHandler(handler);
 
-        InputStream inputStream = new FileInputStream(file);
-        Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8);
-        InputSource in = new InputSource(reader);
+            try (Reader reader = new InputStreamReader(new FileInputStream(file), StandardCharsets.UTF_8)) {
+                InputSource in = new InputSource(reader);
+                xmlReader.parse(in);
+            }
 
-        xmlReader.parse(in);
-
-        AssemblyData result = handler.getAssemblyData();
-        assertEquals("OWASP Contributors", result.getCompanyName());
-        assertEquals("GrokAssembly", result.getProductName());
-        assertEquals("Inspects a .NET Assembly to determine Company, Product, and Version information", result.getComments());
-        assertEquals(1, result.getNamespaces().size());
+            AssemblyData result = handler.getAssemblyData();
+            assertEquals("OWASP Contributors", result.getCompanyName());
+            assertEquals("GrokAssembly", result.getProductName());
+            assertEquals("Inspects a .NET Assembly to determine Company, Product, and Version information", result.getComments());
+            assertEquals(1, result.getNamespaces().size());
+        }
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,7 @@ private void loadHostedSuppressionBaseData(final SuppressionParser parser, final`
`264`	`264`	`final URL url = new URL(configuredUrl);`
`265`	`265`	`final String fileName = new File(url.getPath()).getName();`
`266`	`266`	`if (fileName.isBlank()) {`
`267`		`- throw new IllegalArgumentException("Hosted Suppression URL must imply a filename");`
	`267`	`+ throw new IOException("Hosted Suppression URL must imply a filename");`
`268`	`268`	`}`
`269`	`269`	`final File repoFile = new File(getSettings().getDataDirectory(), fileName);`
`270`	`270`	`boolean repoEmpty = !repoFile.isFile() \|\| repoFile.length() <= 1L;`