Vulnerability scanning for Java apps
Published December 08, 2021
Better safe than sorry
“Safety first” is the motto engineers at BellSoft follow in delivering our products to customers. As a leading OpenJDK contributor and a member of the OpenJDK Vulnerability Group, we cooperate with the community in hunting down and fixing security issues, and making sure that Liberica JDK is free from common vulnerabilities. Our support team is there for you 24x7x365 with response times as fast as one hour.
Your runtime is the environment where you develop your product. Regardless of how safe the JDK distribution is, you should ensure the safety of your product throughout the whole delivery chain and eliminate security risks in a timely manner. This is where vulnerability assessment tools come into play.
In this article, we will find out why vulnerability scanning is an indispensable component of DevOps strategy and compare two popular scanners for Java projects. Finally, we will learn how to scan the application for security issues using a scanner and Liberica JDK as a runtime.
- Vulnerability scanning is a must
- Scanners, your loyal watch dogs
- How to choose a suitable scanner
- Fortify your project with Liberica JDK and a vulnerability scanner
Vulnerability scanning is a must
The beauty of the OpenJDK project is that you use the Java SE version and enjoy the open source freedoms brought to you by the GPL license. Just remember how many dependencies you integrate into your project during the development: dozens or even hundreds! Maven repository holds build artifacts and dependencies for every occasion. Whether you need to parse a file, connect to a database, or conveniently manipulate Java classes by means of additional utility methods, Maven offers it all and more. What is important, the repository holds different versions of dependencies so that you don’t encounter problems with compatibility. All in all, dependencies make the development process fast, convenient, and they are available for free due to their open source nature.
But there is a flip side to the open source coin. As there are a lot of dependencies, and they all should be compatible with your JDK version or each other, there is always a risk of integrating an older version with known vulnerabilities. Those vulnerabilities do not cause errors in the work of your application, and so they sneak undetected into the next development stage. As a result, the customer will receive a product with security gaps.
So continuous security monitoring must be an integral part of DevOps processes at your company. The safety of product components must be guaranteed at every stage of the CI/CD pipeline. Ideally, the developers must:
- Use artifacts only from reliable sources;
- Integrate only the latest dependency versions without known vulnerabilities;
- Monitor the appearance of new packages with fixed vulnerabilities;
- Update the dependencies as soon as new versions become available.
Luckily, this process can and should be automated and enhanced through vulnerability scanning. Scanners are vulnerability testing tools. They are doing a great job at revealing weak spots of the code, leaving no stone unturned.
Besides vulnerability scanning, you should also update your runtime as newer versions contain fixes for known bugs and common vulnerabilities. BellSoft provides quarterly CPUs (critical patch updates) in addition to feature releases, which come out twice a year. This way, you don’t have to worry about stability and security of your runtime and focus on fortifying your own code. Find out how below.
Scanners, your loyal watch dogs
The operational principle of vulnerability scanners is similar to that of antivirus systems. When vulnerabilities are revealed, they get fixed in newer component versions. At the same time, they are put into a database. A scanner interacts with the database when reading the code and matches the scanning results with the available data. At the end of the assessment, it generates a log file listing the revealed weak spots with assigned severity ratings and possible remediations.
The job of the scanner doesn’t end there, though. Although it is integrated into the project as early as the build stage, it monitors the safety of components across the CI/CD pipeline. Some of them have the function of continuous post-production monitoring.
After the issues are identified, there are two possible solutions:
- Update the dependency version. This may require some code rewriting for compatibility’s sake.
- Delete the dependency and use a component closest to your need. This might require A LOT of code rewriting based on how deeply the dependency is integrated. But in most cases, this extreme measure won’t be necessary since identified vulnerabilities are quickly fixed in a newer package.
You don’t have to worry about obsolete versions of your software and compare versions yourself. The scanner does it for you.
How to choose a suitable scanner
There is a wide range of code security scanning tools available. The developer responsible for product release chooses a scanner based on your application type and programming language.
The most popular scanners for Java development are Snyk, Xray Jfrog, and Black Duck. If you are looking for open source tools, there are open source vulnerability scanners such as SonarQube or Trivy. All scanners differ in terms of functionality and pricing. Let us compare two of them: Snyk and Xray Jfrog.
Snyk is a developer security platform that scans the code, dependencies, containers, and infrastructure as code for vulnerabilities. It functions on four levels:
- Finds issues in the code in your IDE, gives remediation advice, and verifies the corrections;
- Integrates the source code repositories to scan for issues and prioritize them automatically. You can generate a detailed report on found vulnerabilities or fix multiple issues at once;
- Scans your containers for issues and continuously monitors container images throughout their lifecycle;
- Integrates with your CI/CD tool so that you can view the results of scanning and remediations without leaving the build tool.
Snyk has its own security intelligence database, including public sources, data from proprietary research, community contributions, and machine learning mechanisms for continuous updates of security threats. It offers flexible subscription plans depending on the number of developers on the team. It also has a Forever free plan for individual developers striving to secure their build processes.
Xray Jfrog is a binary analysis platform that protects the app across the CI/CD pipeline starting from IDE to the finished product, and provides continuous monitoring post-production.
What distinguishes JFrog from similar tools is that it natively integrates with Artifactory and provides detailed information about security and compliance issues. JFrog uses deep recursive scanning of binaries, which means it can scan all underlying layers and dependencies, including those packaged in Docker images or zip files. In addition, JFrog creates a graph of the app; based on this graph, the tool gains full visibility and can determine the severity of impact.
JFrog uses vulnerability intelligence VulnDB as a source of information about known security issues plus other metadata sources.
As far as subscription plan is concerned, there are two options:
- Cloud. JFrog manages the infrastructure with automatic updates and guaranteed uptime;
- Self-hosted. You can maintain the tool on your hardware or in the cloud yourself.
The tool offers support for on-premise, cloud, multi-cloud, or hybrid deployments.
Regardless of the scanner you choose, the benefits are clear:
- Automated monitoring of your app at all stages of production with severity scaling and possible solutions;
- Acceleration of development thanks to the absence of manual scanning;
- Constantly updated data about known vulnerabilities ensures there are no security gaps in your product.
Fortify your project with Liberica JDK and a vulnerability scanner
Let us now see a vulnerability scanner in action. For that purpose, we will analyze a simple application with several dependencies using Liberica JDK as the runtime environment and Snyk as a scanning tool.
Download and install Liberica JDK 17, the latest LTS version. Liberica JDK is a modern TCK-verified Java Runtime with the widest range of supported platforms and High-Powered support. You can choose any version you like, BellSoft provides support even for Java 6 & 7, but the latest versions have new features that may be helpful in your development process.
Now we need a simple application with several dependencies. Download the Spring Petclinic sample project. You don’t have to add anything manually because the Petclinic project already contains a set of necessary dependencies.
It’s time to set the scanner loose! You have several options of connecting Snyk to your applications:
- Source control (GitHub, Azure Repos, etc.);
- Container registries or Kubernetes;
- Continuous integration tools (CLI, Jenkins, etc.);
- IDE plugins (Eclipse, IntelliJ, Android Studio, etc.);
- Package repos or serverless (Artifactory plugin, AWS Lambda, etc.)
We have chosen a plugin for IntelliJ IDEA. You can install it directly in your IDE through Preferences -> Plugins.
After the installation, click on the Snyk icon to scan your project.
As a result, Snyk discovered three vulnerabilities with different severity ratings: critical, high, and medium. You can click on the vulnerability and read detailed information with overview and remediation.
Note, that a critical vulnerability hasn’t been fixed in a newer version yet. This is the case when you have to use another dependency to strengthen your code.
As you can see, integrating a vulnerability scanner into your project couldn’t be more straightforward. In return, you get all the benefits of modern protection and you meet the requirements of DevOps processes at your organization: continuous and automated monitoring of a product at all stages of production.
With Liberica JDK and vulnerability scanning, you can be sure that your apps are safe and sound at all times. And remember, there is no such thing as excess when it comes to security!