Embedded Vulnerability Detector

About

Java build systems such as maven allow developers to easily incorporate a complex tree of third-party components into their applications, potentially exposing the issue of using components with known vulnerabilities. To address this, the Java Embedded Vulnerability Detector, based on the victims project maintained by the Red Hat Security Team, provides a canonical database of known-vulnerable JAR files, along with tools to compare this database to Java applications in development, release and production environments.

The source code for this application, like the victims project code it is built upon, is distributed under the AGPL, and can be found at github.

Usage

On the presented form select a file or multiple files to be analyzed for vulnerabilities. Currently JAR and Class files are supported. Any detected vulnerabilities will be displayed in the Vulnerability Information panel with links to relevant CVE information.

Alternatively, there is a downloadable standalone, executable Java JAR version of this application that can be run upon your own machine at the command line. The downloadable JAR and instructions for it's use are on the same page as the app.