JFrog Security Research

OSS Security Scanning Tools resource page

Validate open source security in your software using OSS tools from JFrog Security When a new security threat – such as a zero-day vulnerability in a publicly available open-source package – arises, the time to respond is of the essence. We are happy to support the community with a range of OSS scan tools to identify such threats in your software quickly. These tools are continually developed by the JFrog Security Research team – the security experts behind JFrog Xray JFrog's OSS tools can be used for detecting exposure to known vulnerabilities (either dynamically or statically), for determining susceptibility to various supply-chain attacks and for evaluating software packages that may contain malicious code.

Scan with JFrog CLI >
oss Packages
    CVE-2021-44228 (Log4Shell) tools
    CVE-2021-44228 (Log4Shell) poses a serious threat to a wide range of Java-based applications. Our OSS tools help developers answer the following important questions: 1. Does my code include log4j2? 2. Where does my code use log4j2? 3. Am I configuring this correctly?
  • env_verify
    Verifies whether the Java environment and command line options of your log4j-enabled Java application, allow for the exploitation of CVE-2021-44228
    Published on 14 Dec. 2021
  • log4shell_xray_wrapper
    Searches for local Maven and Gradle projects and scans them using Xray, with the results filtered to show only the Log4Shell vulnerabilities
    Published on 14 Dec. 2021
  • patch_rt_container_registry_repos
    Mitigates Log4Shell in container images managed by Artifactory
    Published on 14 Dec. 2021
  • scan-cve-2021-45046-config
    Scans a root folder and all archive files in it, looking for probable log4j configuration files (xml , yml , properties , json), in each looking for configuration options which may enable an attacker to exploit CVE-2021-45046
    Published on 14 Dec. 2021
  • scan-log4j-calls-jar
    Recursively scans all .jar files in a root folder, for each printing out locations (class name and method name) of calls to info/warn/error/log/debug/trace/fatal methods of log4j2.Logger.
    Published on 14 Dec. 2021
  • scan-log4j-calls-src
    Recursively scans all .java files in a root folder, for each printing out locations (file name and corresponding code lines) of calls to log4j2 logging methods.
    Published on 14 Dec. 2021
  • scan-log4j-versions
    Recursively scans a root folder for .jar and .war files; For every file that is detected, the plugin looks for the vulnerable Log4Shell classes and reports whether the binary is vulnerable.
    Published on 14 Dec. 2021
    CVE-2022-29799 (Nimbuspwn) tools
    Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team.
  • nimbuspwn-detector
    Checks if the current system is vulnerable to Nimbuspwn
    Published on 28 Apr. 2022
    CVE-2018-25032 tools
    CVE-2018-25032 is a vulnerability in the ubiquitous zlib compression library, which can be triggered when the deflateInit2 API is called using non-default arguments.
  • CVE-2018-25032-detector
    Scans a path recursively and prints binaries that use deflateInit2() - which makes them potentially susceptible to CVE-2018-25032
    Published on 30 Mar. 2022
    CVE-2021-4034 (PwnKit) tools
    PwnKit is a trivial-to-exploit local privilege escalation vulnerability that affects every major Linux distribution.
  • pwnkit-detector
    Checks if the current system is vulnerable to PwnKit
    Published on 27 Jan. 2022