Embedded Vulnerability Detector
About
Java build systems such as maven allow developers to easily incorporate a complex tree of third-party components into their applications, potentially exposing the issue of using components with known vulnerabilities. To address this, the Java Embedded Vulnerability Detector, based on the victims project maintained by the Red Hat Security Team, provides a canonical database of known-vulnerable JAR files, along with tools to compare this database to Java applications in development, release and production environments.
The source code for this application, like the victims project code it is built upon, is distributed under the AGPL, and can be found at github.
Usage
On the presented form select a file or multiple files to be analyzed for vulnerabilities. Currently JAR and Class files are supported. Any detected vulnerabilities will be displayed in the Vulnerability Information panel with links to relevant CVE information.
Alternatively, there is a downloadable standalone, executable Java JAR version of this application that can be run upon your own machine at the command line. The downloadable JAR and instructions for it's use are on the same page as the app.
Was this helpful?
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
1 Comments
Subscriber exclusive content
An active Red Hat subscription is required to participate.
Log InCan you add support for WAR and EAR files? That would allow scanning entire apps in one go.
Thanks in advance.
Yes, it'll take a bit of hacking but it can be done. Thanks for the suggestion.
Hi,
as it could violate security policies to upload custom java apps to remote servers, wouldn't it be a good idea to support local scanning of jaca code against a remote vulnerability database? We would really appreciate this.
Thanks
Yes, this could be supported, assuming those same security policies don't forbid the downloading and running of code that scans your class/jar files against a remote vulnerability database.
I've updated the webapp to include a link to a downloadable version that can be run on you own machine, from the command line.
Hi,
I have a few wishes regarding the standalone version:
- an option to download the hole database at once via a browser or other http-clients, so that one could transfer this to a server that has no internet access or should not have one
- for security reasons: digital signing of updates?
Regards and thanks for your work
Tim
https://victi.ms/ appears to be down :-(
Hi all,
Is the database updated? It seems like both tools (online and jevd-client-0.9.jar) are reporting vulnerability [1] for EAP 5.2. However, this vulnerability should already have been fixed in this EAP version. Is it sill being updated?
[1] https://access.redhat.com/security/cve/cve-2011-4605
Thanks in advance!
Is this project still active? The online app doesn't return anything and the downloadable client says the database is not initialized. Trying to determine if this is useful for customers.
Thanks, Glen