JFrog Security Research

OSS Security Scanning Tools resource page

Validate open source security in your software using OSS tools from JFrog Security When a new security threat – such as a zero-day vulnerability in a publicly available open-source package – arises, the time to respond is of the essence. We are happy to support the community with a range of OSS scan tools to identify such threats in your software quickly. These tools are continually developed by the JFrog Security Research team – the security experts behind JFrog Xray JFrog's OSS tools can be used for detecting exposure to known vulnerabilities (either dynamically or statically), for determining susceptibility to various supply-chain attacks and for evaluating software packages that may contain malicious code.

Scan with JFrog CLI >
oss Packages
    CVE-2024-3094 (XZ Backdoor) tools
    CVE-2024-3094 (XZ Backdoor) is a highly sophisticated backdoor that affected the "xz" and "xz-utils" packages (versions 5.6.0 and 5.6.1). The backdoor allows specific attackers to run arbitrary shell commands on the victim machine via covert SSH communication.
  • CVE-2024-3094-detector
    Checks if the local machine is vulnerable to CVE-2024-3094 and currently affected by CVE-2024-3094
    Published on 31 Mar, 2024
    CVE-2021-44228 (Log4Shell) tools
    CVE-2021-44228 (Log4Shell) poses a serious threat to a wide range of Java-based applications. Our OSS tools help developers answer the following important questions: 1. Does my code include log4j2? 2. Where does my code use log4j2? 3. Am I configuring this correctly?
  • env_verify
    Verifies whether the Java environment and command line options of your log4j-enabled Java application, allow for the exploitation of CVE-2021-44228
    Published on 14 Dec, 2021
  • log4shell_xray_wrapper
    Searches for local Maven and Gradle projects and scans them using Xray, with the results filtered to show only the Log4Shell vulnerabilities
    Published on 14 Dec, 2021
  • patch_rt_container_registry_repos
    Mitigates Log4Shell in container images managed by Artifactory
    Published on 14 Dec, 2021
  • scan-cve-2021-45046-config
    Scans a root folder and all archive files in it, looking for probable log4j configuration files (xml , yml , properties , json), in each looking for configuration options which may enable an attacker to exploit CVE-2021-45046
    Published on 14 Dec, 2021
  • scan-log4j-calls-jar
    Recursively scans all .jar files in a root folder, for each printing out locations (class name and method name) of calls to info/warn/error/log/debug/trace/fatal methods of log4j2.Logger.
    Published on 14 Dec, 2021
  • scan-log4j-calls-src
    Recursively scans all .java files in a root folder, for each printing out locations (file name and corresponding code lines) of calls to log4j2 logging methods.
    Published on 14 Dec, 2021
  • scan-log4j-versions
    Recursively scans a root folder for .jar and .war files; For every file that is detected, the plugin looks for the vulnerable Log4Shell classes and reports whether the binary is vulnerable.
    Published on 14 Dec, 2021
    CVE-2022-29799 (Nimbuspwn) tools
    Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team.
  • nimbuspwn-detector
    Checks if the current system is vulnerable to Nimbuspwn
    Published on 28 Apr, 2022
    CVE-2018-25032 tools
    CVE-2018-25032 is a vulnerability in the ubiquitous zlib compression library, which can be triggered when the deflateInit2 API is called using non-default arguments.
  • CVE-2018-25032-detector
    Scans a path recursively and prints binaries that use deflateInit2() - which makes them potentially susceptible to CVE-2018-25032
    Published on 30 Mar, 2022
    CVE-2021-4034 (PwnKit) tools
    PwnKit is a trivial-to-exploit local privilege escalation vulnerability that affects every major Linux distribution.
  • pwnkit-detector
    Checks if the current system is vulnerable to PwnKit
    Published on 27 Jan, 2022
    CVE-2022-42889 (TextShell) tools
    The TextShell vulnerability (CVE-2022-42889) affects users of the popular Apache Commons Text package, that use String Interpolation APIs. Exploiting the vulnerability is trivial in relevant cases and leads to remote code execution.
  • scan_commons_text_versions
    Recursively searches for the class code of StringLookupFactory (regardless of containing .jar file names and content of pom.xml files), and attempts to fingerprint the versions of the objects to report whether the included version of commons-text is vulnerable.
    Published on 18 Oct, 2022
  • scan_commons_text_calls_jar
    Locates the calls to the vulnerable TextShell functions in compiled .jar files, and reports the findings as class name and method names in which each call appears.
    Published on 18 Oct, 2022
  • text_4_shell_patch
    Looks for the vulnerable ScriptStringLookup class in the commons-text jar given and disables the lookup() function, effectively patching the vulnerability The tool can also patch (disable) the vulnerable DnsStringLookup and URLStringLookup funtionalities
    Published on 24 Oct, 2022
    CVE-2022-3602 & CVE-2022-3786 tools
    CVE-2022-3602 & CVE-2022-3786 are a pair of vulnerabilities that affect users of OpenSSL 3.x, leading to denial of service and possibly other impact when verifying a crafted X.509 certificate.
  • openssl_req_client_cert
    Determines whether client authentication is required by the SSL server, in which case servers based on OpenSSL 3.0.0..3.0.6 will be vulnerable to CVE-2022-3602 & CVE-2022-3786
    Published on 2 Nov, 2022
  • scan_vulnerable_openssl_code
    Finds binaries with a statically-linked version of OpenSSL. Specifically the tool diferentiates between OpenSSL 3.0.0-3.0.6 (vulnerable versions) and 3.0.7 (fixed version).
    Published on 2 Nov, 2022