JFrog Security Research
OSS Security Scanning Tools resource page
Validate open source security in your software using OSS tools from JFrog Security When a new security threat – such as a zero-day vulnerability in a publicly available open-source package – arises, the time to respond is of the essence. We are happy to support the community with a range of OSS scan tools to identify such threats in your software quickly. These tools are continually developed by the JFrog Security Research team – the security experts behind JFrog Xray JFrog's OSS tools can be used for detecting exposure to known vulnerabilities (either dynamically or statically), for determining susceptibility to various supply-chain attacks and for evaluating software packages that may contain malicious code.
Scan with JFrog CLI >
- CVE-2024-3094-detectorChecks if the local machine is vulnerable to CVE-2024-3094 and currently affected by CVE-2024-3094Published on 31 Mar, 2024
CVE-2024-3094 (XZ Backdoor) tools
CVE-2024-3094 (XZ Backdoor) is a highly sophisticated backdoor that affected the "xz" and "xz-utils" packages (versions 5.6.0 and 5.6.1).
The backdoor allows specific attackers to run arbitrary shell commands on the victim machine via covert SSH communication.
- env_verifyVerifies whether the Java environment and command line options of your log4j-enabled Java application, allow for the exploitation of CVE-2021-44228Published on 14 Dec, 2021
- log4shell_xray_wrapperSearches for local Maven and Gradle projects and scans them using Xray, with the results filtered to show only the Log4Shell vulnerabilitiesPublished on 14 Dec, 2021
- patch_rt_container_registry_reposMitigates Log4Shell in container images managed by ArtifactoryPublished on 14 Dec, 2021
- scan-cve-2021-45046-configScans a root folder and all archive files in it, looking for probable log4j configuration files (
xml,yml,properties,json), in each looking for configuration options which may enable an attacker to exploit CVE-2021-45046Published on 14 Dec, 2021 - scan-log4j-calls-jarRecursively scans all
.jarfiles in a root folder, for each printing out locations (class name and method name) of calls toinfo/warn/error/log/debug/trace/fatalmethods oflog4j2.Logger.Published on 14 Dec, 2021 - scan-log4j-calls-srcRecursively scans all
.javafiles in a root folder, for each printing out locations (file name and corresponding code lines) of calls tolog4j2logging methods.Published on 14 Dec, 2021 - scan-log4j-versionsRecursively scans a root folder for
.jarand.warfiles; For every file that is detected, the plugin looks for the vulnerable Log4Shell classes and reports whether the binary is vulnerable.Published on 14 Dec, 2021
CVE-2021-44228 (Log4Shell) tools
CVE-2021-44228 (Log4Shell) poses a serious threat to a wide range of Java-based applications.
Our OSS tools help developers answer the following important questions:
1. Does my code include log4j2?
2. Where does my code use log4j2?
3. Am I configuring this correctly?
log4shell
Related Blogs
- scan_springScans a root folder recursively for
.jarand.warfiles which contain web endpoints that may be vulnerable to CVE-2022-22965Published on 31 Mar, 2022
CVE-2022-22965 (SpringShell) tools
The SpringShell (CVE-2022-22965) vulnerability may affect some web applications using Spring Framework, but requires a number of conditions to be exploitable. One specific condition which may be rather rare (and therefore render most applications non-exploitable in practice) is the existence of Spring endpoints which bind request parameters to a non-primitive (Java Bean) type.
springshell
Related Blogs
- nimbuspwn-detectorChecks if the current system is vulnerable to NimbuspwnPublished on 28 Apr, 2022
CVE-2022-29799 (Nimbuspwn) tools
Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team.
- CVE-2018-25032-detectorScans a path recursively and prints binaries that use
deflateInit2()- which makes them potentially susceptible to CVE-2018-25032Published on 30 Mar, 2022
CVE-2018-25032 tools
CVE-2018-25032 is a vulnerability in the ubiquitous zlib compression library, which can be triggered when the deflateInit2 API is called using non-default arguments.
- pwnkit-detectorChecks if the current system is vulnerable to PwnKitPublished on 27 Jan, 2022
CVE-2021-4034 (PwnKit) tools
PwnKit is a trivial-to-exploit local privilege escalation vulnerability that affects every major Linux distribution.
- npm-secure-installValidates dependencies are locked down to the exact versions before installation of global toolsPublished on 20 Jan, 2022
- package-checkerChecks a dependency string for what will actually be installed and whether it is suspiciousPublished on 20 Jan, 2022
- npm-issues-statisticsAnalyzes GitHub comments to find unusual activity that might correlate to compromised dependencyPublished on 20 Jan, 2022
- npm-domain-checkChecks if a specific npm package may be susceptible to domain hijacking(directly or via dependencies)Published on 24 May, 2022
npm tools
A collection of tools to help audit your NPM dependencies for suspicious packages or continuously monitor dependencies for future security events.
npm-tools
Related Blogs
- scan_commons_text_versionsRecursively searches for the class code of StringLookupFactory (regardless of containing .jar file names and content of pom.xml files), and attempts to fingerprint the versions of the objects to report whether the included version of commons-text is vulnerable.Published on 18 Oct, 2022
- scan_commons_text_calls_jarLocates the calls to the vulnerable TextShell functions in compiled .jar files, and reports the findings as class name and method names in which each call appears.Published on 18 Oct, 2022
- text_4_shell_patchLooks for the vulnerable ScriptStringLookup class in the commons-text jar given and disables the lookup() function, effectively patching the vulnerability The tool can also patch (disable) the vulnerable DnsStringLookup and URLStringLookup funtionalitiesPublished on 24 Oct, 2022
CVE-2022-42889 (TextShell) tools
The TextShell vulnerability (CVE-2022-42889) affects users of the popular Apache Commons Text package, that use String Interpolation APIs.
Exploiting the vulnerability is trivial in relevant cases and leads to remote code execution.
- openssl_req_client_certDetermines whether client authentication is required by the SSL server, in which case servers based on OpenSSL 3.0.0..3.0.6 will be vulnerable to CVE-2022-3602 & CVE-2022-3786Published on 2 Nov, 2022
- scan_vulnerable_openssl_codeFinds binaries with a statically-linked version of OpenSSL. Specifically the tool diferentiates between OpenSSL 3.0.0-3.0.6 (vulnerable versions) and 3.0.7 (fixed version).Published on 2 Nov, 2022
CVE-2022-3602 & CVE-2022-3786 tools
CVE-2022-3602 & CVE-2022-3786 are a pair of vulnerabilities that affect users of OpenSSL 3.x, leading to denial of service and possibly other impact when verifying a crafted X.509 certificate.