https://github.com/afrouper/mavendependencycve-scanner
A simple and fast Maven dependency vulnerability scanner. Check existence of vuln JARs (transitive)
https://github.com/afrouper/mavendependencycve-scanner
binaries commons-text cve-2021-44228 cve-2021-45046 cve-2021-45105 cve-2022-42889 java log4j2 native-image
Last synced: 3 months ago
JSON representation
A simple and fast Maven dependency vulnerability scanner. Check existence of vuln JARs (transitive)
- Host: GitHub
- URL: https://github.com/afrouper/mavendependencycve-scanner
- Owner: Afrouper
- License: apache-2.0
- Created: 2021-12-23T13:17:04.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-02-24T06:51:45.000Z (3 months ago)
- Last Synced: 2025-02-24T07:37:34.088Z (3 months ago)
- Topics: binaries, commons-text, cve-2021-44228, cve-2021-45046, cve-2021-45105, cve-2022-42889, java, log4j2, native-image
- Language: Java
- Homepage:
- Size: 561 KB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.MD
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# Simple Maven Dependency vulnerability scanner
[](https://github.com/Afrouper/MavenDependencyCVE-Scanner/releases/latest)
[](https://github.com/Afrouper/MavenDependencyCVE-Scanner/actions/workflows/maven.yml)
[](https://github.com/Afrouper/MavenDependencyCVE-Scanner/actions/workflows/buildAndRelease.yml)
[](https://github.com/Afrouper/MavenDependencyCVE-Scanner/releases)
[](https://github.com/Afrouper/MavenDependencyCVE-Scanner/actions/workflows/codeql-analysis.yml)
Inspired by [logpresso Scanner](https://github.com/logpresso/CVE-2021-44228-Scanner) where I was able to contribute some
parts :-)
And I have to do some automatic builds and releases with GitHub Actions...
## Build
Simple checkout and build via `mvn package`. GraalVM native-images can be created with `mvn package -Pnative`. An
installed [GraalVM](https://www.graalvm.org) with native-image must be installed.
### Autoversioning
This project uses the [Maven Git Versioning Extension](https://github.com/qoomon/maven-git-versioning-extension) to
automaticly set the version numbers. For a flawless experience you need to disable this extension during project import
in IntelliJ. Disable it by adding `-Dversioning.disable=true` to Maven Importer VM options.
## Execute
In the release section you can find the JAR for all JRE 8+ environments. Also you can download a native binary for
linux, macOS or windows.
To execute the scanner simple call `java -jar CVE_MavenScanner-.jar -cve scanPath` where 'scanPath'
is the directory you want to scan. All ZIPs, JARs, WARs and EARs in the directory are scanned (also Fat-JARs are supported). Also all
directories are scanned recursive. Native binaries can be executed without installed Java - please pick the correct for
you system.
All Available CVEs will be listed when called without parameters
**Attention:** After downloading the macOS binary you may need to remove the quarantine attribute. Do this
via `xattr -d com.apple.quarantine CVE_MavenScanner-mac-amd64`.
You get a return code `0` when everything is fine, `> 1` if there are findings.
### Sample Output
```
Scan for CVE-2022-42889
Findings: 4
[-] ✅ org.apache.commons:commons-text:1.10.0 in Log4j-Scanner/src/test/resources/commons-text/commons-text-1.10.0.jar
[*] 🔥 org.apache.commons:commons-text:1.9 in Log4j-Scanner/src/test/resources/commons-text/commons-text-1.9.jar
[*] 🔥 org.apache.commons:commons-text:1.8 in Log4j-Scanner/src/test/resources/commons-text/commons-text-1.8.jar
[?] ❓ null in Log4j-Scanner/src/test/resources/commons-text/commons-text_potentially.jar
Process finished with exit code 3
```