chore: maintenance

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java

@@ -28,7 +28,6 @@
 import org.owasp.dependencycheck.data.nodeaudit.NodeAuditSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.dependency.VulnerableSoftwareBuilder;
@@ -505,13 +504,13 @@ protected void processResults(final List<Advisory> advisories, Engine engine,
      * @param vuln the vulnerability to add
      */
     protected void replaceOrAddVulnerability(Dependency dependency, Vulnerability vuln) {
-        boolean found = vuln.getSource() == Vulnerability.Source.NPM && 
-                dependency.getVulnerabilities().stream().anyMatch(existing -> {
-            return existing.getReferences().stream().anyMatch(ref ->{
-                    return ref.getName() != null
-                            && ref.getName().equals("https://nodesecurity.io/advisories/" + vuln.getName());
-            });
-        });
+        final boolean found = vuln.getSource() == Vulnerability.Source.NPM
+                && dependency.getVulnerabilities().stream().anyMatch(existing -> {
+                    return existing.getReferences().stream().anyMatch(ref -> {
+                        return ref.getName() != null
+                                && ref.getName().equals("https://nodesecurity.io/advisories/" + vuln.getName());
+                    });
+                });
         if (!found) {
             dependency.addVulnerability(vuln);
         }

core/src/main/java/org/owasp/dependencycheck/analyzer/LibmanAnalyzer.java

@@ -148,7 +148,7 @@ protected FileFilter getFileFilter() {
      * Performs the analysis.
      *
      * @param dependency the dependency to analyze
-     * @param engine     the engine
+     * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
@@ -209,7 +209,7 @@ public void analyzeDependency(Dependency dependency, Engine engine) throws Analy
                 child.setVersion(version);
 
                 if (vendor != null) {
-                    child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "vendor", vendor, Confidence.HIGHEST);    
+                    child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "vendor", vendor, Confidence.HIGHEST);
                 }
                 child.addEvidence(EvidenceType.VENDOR, FILE_NAME, "name", name, Confidence.HIGH);
                 child.addEvidence(EvidenceType.PRODUCT, FILE_NAME, "name", name, Confidence.HIGHEST);

core/src/main/java/org/owasp/dependencycheck/analyzer/UnusedSuppressionRuleAnalyzer.java

@@ -33,8 +33,12 @@
  * @author Jeremy Long
  */
 public class UnusedSuppressionRuleAnalyzer extends AbstractAnalyzer {
-	protected static final String EXCEPTION_MSG = "There are %d unused suppression rule(s): check logs.";
-
+
+    /**
+     * Exception message.
+     */
+    protected static final String EXCEPTION_MSG = "There are %d unused suppression rule(s): check logs.";
+
     /**
      * The Logger for use throughout the class.
      */
@@ -56,21 +60,21 @@ public class UnusedSuppressionRuleAnalyzer extends AbstractAnalyzer {
     @Override
     public synchronized void initialize(Settings settings) {
         super.initialize(settings);
-		if (settings.getBoolean(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, false)) {
-			this.shouldFailForUnusedSuppressionRule = true;
-		}
-	}
+        if (settings.getBoolean(Settings.KEYS.FAIL_ON_UNUSED_SUPPRESSION_RULE, false)) {
+            this.shouldFailForUnusedSuppressionRule = true;
+        }
+    }
 
     @Override
     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         if (!reported) {
-			checkUnusedRules(engine);
-			reported = true;
-			if(unusedSuppressionRuleCount > 0 && failsForUnusedSuppressionRule()) {
-				final String message = String.format(EXCEPTION_MSG, unusedSuppressionRuleCount);
-				LOGGER.error(message);
-				throw new AnalysisException(message);
-			}
+            checkUnusedRules(engine);
+            reported = true;
+            if (unusedSuppressionRuleCount > 0 && failsForUnusedSuppressionRule()) {
+                final String message = String.format(EXCEPTION_MSG, unusedSuppressionRuleCount);
+                LOGGER.error(message);
+                throw new AnalysisException(message);
+            }
         }
     }
 
@@ -85,13 +89,13 @@ protected void checkUnusedRules(Engine engine) {
             final List<SuppressionRule> rules = (List<SuppressionRule>) engine.getObject(SUPPRESSION_OBJECT_KEY);
             rules.forEach((rule) -> {
                 if (!rule.isMatched() && !rule.isBase()) {
-					final String message = String.format("Suppression Rule had zero matches: %s", rule);
-                    if(failsForUnusedSuppressionRule()) {
-						LOGGER.error(message);
-					} else {
-						LOGGER.info(message);
-					}
-					increaseUnusedSuppressionRuleCount();
+                    final String message = String.format("Suppression Rule had zero matches: %s", rule);
+                    if (failsForUnusedSuppressionRule()) {
+                        LOGGER.error(message);
+                    } else {
+                        LOGGER.info(message);
+                    }
+                    increaseUnusedSuppressionRuleCount();
                 }
             });
         }
@@ -117,25 +121,25 @@ public AnalysisPhase getAnalysisPhase() {
     public boolean supportsParallelProcessing() {
         return false;
     }
-	
-	/**
-	* increases the count of unused suppression rules
-	*/
-	public void increaseUnusedSuppressionRuleCount() {
-		unusedSuppressionRuleCount++;
-	}
-	
-	/**
-	* @return the count of unused suppression rules
-	*/
-	public int getUnusedSuppressionRuleCount() {
-		return unusedSuppressionRuleCount;
-	}
-	
-	/**
-	* @return whether the analyzer will fail for a unused suppression rule
-	*/
-	public boolean failsForUnusedSuppressionRule() {
-		return shouldFailForUnusedSuppressionRule;
-	}
+
+    /**
+     * increases the count of unused suppression rules.
+     */
+    public void increaseUnusedSuppressionRuleCount() {
+        unusedSuppressionRuleCount++;
+    }
+
+    /**
+     * @return the count of unused suppression rules.
+     */
+    public int getUnusedSuppressionRuleCount() {
+        return unusedSuppressionRuleCount;
+    }
+
+    /**
+     * @return whether the analyzer will fail for a unused suppression rule.
+     */
+    public boolean failsForUnusedSuppressionRule() {
+        return shouldFailForUnusedSuppressionRule;
+    }
 }

core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java

@@ -61,6 +61,7 @@ public class ComposerLockParser {
      * Creates a ComposerLockParser from a JsonReader and an InputStream.
      *
      * @param inputStream the InputStream to parse
+     * @param skipDev whether to skip dev dependencies
      */
     public ComposerLockParser(InputStream inputStream, boolean skipDev) {
         LOGGER.debug("Creating a ComposerLockParser");

core/src/main/java/org/owasp/dependencycheck/data/update/KnownExploitedDataSource.java

@@ -80,8 +80,8 @@ public boolean update(Engine engine) throws UpdateException {
                 final URL url = new URL(settings.getString(Settings.KEYS.KEV_URL, DEFAULT_URL));
                 LOGGER.info("Updating CISA Known Exploited Vulnerability list: " + url.toString());
 
-                final HttpClientResponseHandler<KnownExploitedVulnerabilitiesSchema> kevParsingResponseHandler
-                        = new AbstractHttpClientResponseHandler<>() {
+                final HttpClientResponseHandler<KnownExploitedVulnerabilitiesSchema> kevParsingResponseHandler = 
+                        new AbstractHttpClientResponseHandler<>() {
                     @Override
                     public KnownExploitedVulnerabilitiesSchema handleEntity(HttpEntity entity) throws IOException {
                         try (InputStream in = entity.getContent()) {

core/src/main/java/org/owasp/dependencycheck/data/update/nvd/api/CveItemSource.java

@@ -26,7 +26,7 @@ public interface CveItemSource<T extends DefCveItem> extends AutoCloseable {
     /**
      * Returns whether there is another item.
      *
-     * @return <code>true</code if there is another item; otherwise
+     * @return <code>true</code> if there is another item; otherwise
      * <code>false</code>.
      */
     boolean hasNext();

core/src/main/java/org/owasp/dependencycheck/reporting/SarifRule.java

@@ -161,6 +161,7 @@ public class SarifRule {
      * @param source the source
      * @param cvssV2 the CVSS v2 score
      * @param cvssV3 the CVSS v3 score
+     * @param cvssV4 the CVSS v4 score
      */
     public SarifRule(String name, String shortDescription, String fullDescription,
                      String source, CvssV2 cvssV2, CvssV3 cvssV3, CvssV4 cvssV4) {

pom.xml

@@ -142,7 +142,7 @@ Copyright (c) 2012 - Jeremy Long
         <taglist-maven-plugin.version>3.2.1</taglist-maven-plugin.version>
         <versions-maven-plugin.version>2.18.0</versions-maven-plugin.version>
         <jetbrains.annotations.version>26.0.1</jetbrains.annotations.version>
-        <findbugs-jsr305.version>3.0.2</findbugs-jsr305.version>
+        <findbugs.spotbugs.version>4.9.0</findbugs.spotbugs.version>
         <com.h2database.version>2.3.232</com.h2database.version>
         <commons-cli.version>1.9.0</commons-cli.version>
         <commons-io.version>2.18.0</commons-io.version>
@@ -1273,9 +1273,9 @@ Copyright (c) 2012 - Jeremy Long
                 <version>${doxia-base.version}</version>
             </dependency>
             <dependency>
-                <groupId>com.google.code.findbugs</groupId>
-                <artifactId>jsr305</artifactId>
-                <version>${findbugs-jsr305.version}</version>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-annotations</artifactId>
+                <version>${findbugs.spotbugs.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.sonatype.ossindex</groupId>
@@ -1348,8 +1348,8 @@ Copyright (c) 2012 - Jeremy Long
             <optional>true</optional>
         </dependency>
         <dependency>
-            <groupId>com.google.code.findbugs</groupId>
-            <artifactId>jsr305</artifactId>
+            <groupId>com.github.spotbugs</groupId>
+            <artifactId>spotbugs-annotations</artifactId>
             <scope>compile</scope>
             <optional>true</optional>
         </dependency>

utils/pom.xml

@@ -33,7 +33,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
         <tag>v6.4.1</tag>
     </scm>
     <properties>
-        <findbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</findbugs.onlyAnalyze>
+        <spotbugs.onlyAnalyze>org.owasp.dependencycheck.utils.*</spotbugs.onlyAnalyze>
     </properties>
     <dependencies>
         <dependency>