B4J Scanner (SBOM + Vulnerability Scanner)

tchart

tchart

Well-Known Member
Licensed User
Longtime User
I am getting increased scrutiny for some of my enterprise apps based on possible library and supply chain vulnerabilities.

I've used Snyk, Akido and Beagle but they dont really understand how B4J works so I get mixed results.

Anyway, I've built my own scanner (B4J Scanner) that resolves dependencies for a B4J project (based on libraries used, their dependencies and also class paths). It created a software bill of materials (SBOM) and uses OSV (https://osv.dev) to scan for vulnerable libraries.

Anyone interested in this?

Example scan below.

1777500702111.png
 
Last edited:
Dr_JU

Dr_JU

Member
Mariano Ismael Castro said:
Thank you for this great tool. Congratulations on your work.
By the way, I've discovered that jPOI uses the <commons-compress-1.20.jar> library, which contains 5 vulnerabilities. Version 1.28 is recommended.
Click to expand...
Okay, so this means that... a thorough vulnerability scan of the libraries used is needed.

But I'm referring to a full B4X scan.
 
tchart

tchart

Well-Known Member
Licensed User
Longtime User
Dr_JU said:
Okay, so this means that... a thorough vulnerability scan of the libraries used is needed.

But I'm referring to a full B4X scan.
Click to expand...
Do you mean for all the libraries used by b4x? So not just for a project?
 
Dr_JU

Dr_JU

Member
tchart said:
Do you mean for all the libraries used by b4x? So not just for a project?
Click to expand...

Exactly, that will help more programmers (who, like you and me) have that special care when using libraries and dependencies.

Although I'm currently new to B4X and still in the tutorial stage... it doesn't take away from my experience in .NET and production software. I know very well the cost, tech-debt, and implications of using a third-party dependency || The use of libraries with CVEs.

As for me; I already see a post or forum section where dependencies with CVSs are listed, as well as whether they are patched or not, and also if there is/exists a way to mitigate it.

I still remember when I woke up and came across PostgreSQL CVE-2025-1094 and the way to exploit it; at that time we were using Supabase as a cloud service for certain projects.
 
tchart

tchart

Well-Known Member
Licensed User
Longtime User
B4J Scanner has been updated.

@hatzisn identified that the scanner was not processing b4xlib files (which I don't use). The scanner now includes these in the scanner.

The maven dependencies also now show how they are referenced; AJ = #AdditionalJar, B4X dep = Jar + "DependsOn" and b4xlib dep =bx4lib + "DependsOn"

1778475891576.png


IMPORTANT; During testing on XLUtils.b4xlib I found it references poi-ooxml-lite-5.0.0 but the jar I have has an incomplete manifest and the Maven url could not be determined. Not sure if I downloaded from the forum or somewhere else. To resolve this, if B4J Scanner fails to identify the jar it will attempt to query Maven (via web request) using the SHA1 fingerprint. This is a last resort and can be disabled in the config file if you don't want to allow this.
 
tchart

tchart

Well-Known Member
Licensed User
Longtime User
B4J Scanner has been updated with improvements to the report. There is also a new library scan that will scan all of your libraries/additional libraries and report any vulnerable libraries.
 
tchart

tchart

Well-Known Member
Licensed User
Longtime User
prajinpraveen said:
Yes i did. it does pick one jar file, but not all
[AJ] java-barcode-2.0.3 v2.0.3
Click to expand...
Not sure why it's not finding it. Likely something specific to your setup.

Can you post a screenshot of the file/folder (in Explorer) and also a screenshot of the additional jar statements in your project?
 
You must log in or register to reply here.
Top