{"id":36623734,"url":"https://github.com/fathzer/cve-reporter-core","last_synced_at":"2026-01-12T09:29:37.465Z","repository":{"id":45128954,"uuid":"439593768","full_name":"fathzer/cve-reporter-core","owner":"fathzer","description":"Building blocks to report vulnerabilities found in projects contained in a repository","archived":false,"fork":false,"pushed_at":"2022-03-03T15:20:46.000Z","size":79,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2023-08-03T11:25:56.348Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fathzer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-12-18T11:07:14.000Z","updated_at":"2022-01-06T16:21:32.000Z","dependencies_parsed_at":"2022-08-26T10:00:35.901Z","dependency_job_id":null,"html_url":"https://github.com/fathzer/cve-reporter-core","commit_stats":null,"previous_names":[],"tags_count":3,"template":null,"template_full_name":null,"purl":"pkg:github/fathzer/cve-reporter-core","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fathzer%2Fcve-reporter-core","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fathzer%2Fcve-reporter-core/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fathzer%2Fcve-reporter-core/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fathzer%2Fcve-reporter-core/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fathzer","download_url":"https://codeload.github.com/fathzer/cve-reporter-core/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fathzer%2Fcve-reporter-core/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28337723,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T06:09:07.588Z","status":"ssl_error","status_checked_at":"2026-01-12T06:05:18.301Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-12T09:29:34.487Z","updated_at":"2026-01-12T09:29:37.449Z","avatar_url":"https://github.com/fathzer.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Maven Central](https://img.shields.io/maven-central/v/com.fathzer/cve-reporter-core)\n![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)\n[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=fathzer_cve-reporter-core\u0026metric=alert_status)](https://sonarcloud.io/summary/new_code?id=fathzer_cve-reporter-core)\n\n# cve-reporter-core\nBuilding blocks to report vulnerabilities found in projects contained in a repository.\n\nIt currently supports only Gitlab and local repositories, Maven projects and the [Gitlab advisories data base](https://gitlab.com/gitlab-org/advisories-community).  \nBut the architecture of the project allows to add more repositories (GitHub, SVN, etc...), build engines (Gradle) and vulnerabilities database.\n\n## Why this project?\nWhen Log4J shell vulnerability was discovered, I was responsible for more than a hundred of projects in a company that uses a private Gitlab repository.  \nI wondered how to list all my impacted projects.  \nOf course, if I had used best practices, I would have use a pipeline for all my projects to have dependabot running on them. But nobody's perfect ;-)\n\nSo, I could have created a Gitlab CI script in all of my projects to run dependabot. And maybe miss some projects ... and for sure leave the vulnerability exposed for a while (until I created all my scripts).  \nI also wondered how I could help my colleagues ... without touching their projects?\n\nFinally, I found the fastest way was to have an application to list all the vulnerability occurrences found in one's project. Free to him to fix it ... or not.  \nAs I did not find such an application, I decided to create one on my free time.\n\n\n## How to use it\n\n**Prerequisites:**\n\n- This library requires Java 8+.\n- For Maven support: Maven have to be installed on the machine that runs this library. The user's settings.xml should be configured to access the artifact repository (Maven Central or your company private repository). You can test Maven is successfully installed using *mvn -version* command.\n\nCreate and run a java program using this library.\n\nIf you use Maven as build engine, adds this dependency to your pom\n```\n\u003cdependency\u003e\n\t\u003cgroupId\u003ecom.fathzer\u003c/groupId\u003e\n\t\u003cartifactId\u003ecve-reporter-core\u003c/artifactId\u003e\n\t\u003cversion\u003e2.0.2\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\nHere is an example that lists all Maven projects of your Gitlab repository that are affected by a vulnerability referenced in the [Gitlab advisories data base](https://gitlab.com/gitlab-org/advisories-community). \n\n```java\nimport java.io.IOException;\nimport java.net.Proxy;\nimport java.util.List;\n\nimport com.fathzer.cvereporter.CVEReporter;\nimport com.fathzer.cvereporter.builder.MavenEngine;\nimport com.fathzer.cvereporter.cve.DataBase;\nimport com.fathzer.cvereporter.cve.GitLabAdvisoryDatabase;\nimport com.fathzer.cvereporter.repository.GitLabRepository;\nimport com.fathzer.cvereporter.ProjectCVEReport;\n\npublic class Reporter {\n\tpublic static void main(String[] args) throws IOException {\n\t\t// Obtain the gitlab instance's URI and user's token using ... what you want (env variable, argument ...)\n\t\tfinal String gitlabUri = \"\"; //TODO\n\t\tfinal String token = \"\"; //TODO\n\t\tfinal GitLabRepository codeRepo = new GitLabRepository(gitlabUri, token);\n\t\ttry (DataBase db = GitLabAdvisoryDatabase.fromURI(Proxy.NO_PROXY, GitLabAdvisoryDatabase.SOURCE)) {\n\t\t\tfinal List\u003cProjectCVEReport\u003e reports = new CVEReporter(codeRepo, new MavenEngine(codeRepo), db).getReports();\n\t\t\t// Do what you want with the reports (example: list projects affected by vulnerabilities)\n\t\t\treports.stream().filter(r -\u003e r.getAlerts()!=null \u0026\u0026 !r.getAlerts().isEmpty()).forEach(r -\u003e System.out.println(r.getProject().getPath()));\n\t\t}\n\t}\n}\n```\n\nBut you may also want to test your local projects on a few CVE set.  \nHere is an example that lists all Maven projects of your local repository that are affected by Log4J Shell vulnerability, excluding the test's dependencies. \n\n```java\nimport java.io.IOException;\nimport java.nio.file.Path;\nimport java.nio.file.Paths;\nimport java.util.List;\n\nimport com.fathzer.cvereporter.CVEReporter;\nimport com.fathzer.cvereporter.builder.MavenEngine;\nimport com.fathzer.cvereporter.common.Artifact;\nimport com.fathzer.cvereporter.common.VersionRange;\nimport com.fathzer.cvereporter.cve.CVE;\nimport com.fathzer.cvereporter.cve.DataBase;\nimport com.fathzer.cvereporter.repository.CodeRepository;\nimport com.fathzer.cvereporter.repository.LocalRepository;\nimport com.fathzer.cvereporter.ProjectCVEReport;\n\npublic class Log4JShellReporter {\n\tprivate static final CVE LOG4J_SHELL = new CVE(\"CVE-2021-44228\", new Artifact(\"org.apache.logging.log4j\", \"log4j-core\"), new VersionRange(\"[2.0,2.12.2),[2.13.0,2.16.0)\"), \"Log4JShell\");\n\n\tpublic static void main(String[] args) throws IOException {\n\t\t// Obtain the local repository root path using ... what you want (env variable, argument ...)\n\t\tfinal Path root = Paths.get(\"...\"); //TODO\n\t\tfinal CodeRepository codeRepo = new LocalRepository(root);\n\t\ttry (DataBase db = new DataBase()) {\n\t\t\tdb.add(LOG4J_SHELL);\n\t\t\tfinal CVEReporter reporter = new CVEReporter(codeRepo, new MavenEngine(codeRepo), db);\n\t\t\treporter.setIgnoreTestDependencies(true);\n\t\t\tfinal List\u003cProjectCVEReport\u003e reports = reporter.getReports();\n\t\t\t// Do what you want with the reports\n\t\t\t// For instance, you can serialize the reports as Json using jackson-databind.\n\t\t}\n\t}\n}\n```\n\nThere's also a SingleProjectRepository is you want to test only a single project, for instance in a JUnit test.\n\n## TODO\n- Switch to a more modern http client in order to manage safely proxy authentications?\n- Adds Graddle support ... pull requests are welcome\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffathzer%2Fcve-reporter-core","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffathzer%2Fcve-reporter-core","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffathzer%2Fcve-reporter-core/lists"}