Example - Java Application Quick Scan

Let’s scan a vulnerable Java Spring application: javaspringvulny

First, clone the project:

git clone https://github.com/kaakaww/javaspringvulny.git \
&& cd javaspringvulny

Now it’s time to build the code. You can skip this step; however, composition (dependency) scanners may return false negatives. Also, most Static Analysis scanners require build artifacts to present as well.

If you have Java installed:

./gradlew build

If you don’t have Java installed:

docker run --rm -it -v ".:/src" -w "/src" azul/zulu-openjdk:17 ./gradlew build

If this is not your first visit, refresh the image - we update it daily.

docker pull scanproject/standalone

Run the scan:

docker run --rm -v ".:/src" scanproject/standalone

That’s it! After a minute or so, the report is ready!

more tsp-report.json

Or

jq <tsp-report.json

Count issues total:

jq '. | length' <tsp-report.json

Show all composition issues:

jq '.[] | select(.type == "COMPOSITION")' <tsp-report.json

Show all security vulnerabilities:

jq '.[] | select(.type == "SECURITY")' <tsp-report.json

Show all quality issues:

jq '.[] | select(.type == "QUALITY")' <tsp-report.json

Watch a recording of the entire process:

asciicast