Azul has introduced an replace to its Vulnerability Detection answer that guarantees to cut back false positives in Java vulnerability detection by as much as 99% by solely flagging vulnerabilities in code paths which can be really used.
In keeping with Azul, typical scanners scan JAR recordsdata for parts by title, reasonably than what the JVM really masses.
Erik Costlow, senior director of product administration at Azul, defined due to the way in which Java purposes work, every part incorporates many courses, and regardless that a part could also be within the Widespread Vulnerabilities and Exposures (CVE) database, an software won’t be loading the a part of the part that’s susceptible.
“Log4j, for instance, has over 10,000 courses, and there’s solely like 5 – 6 of them which can be really susceptible. So, what we discover is that many individuals use the susceptible issues, however they use it in a protected manner,” he mentioned.
As one other instance, CVE-2024-1597 describes a vital (9.8 out of 10 rating) vulnerability in pgjdbc, which is a PostgreSQL JDBC driver. The vulnerability permits SQL injection if PreferQueryMode=SIMPLE is used. Nonetheless, the entry within the CVE database says “Observe this isn’t the default. Within the default mode there isn’t a vulnerability.”
A developer might be utilizing this part and until they exit of their manner and use PreferQueryMode=SIMPLE, they’re protected, Costlow defined.
“What occurs is many individuals take a look at this rating, and so they say it’s a ten out of 10, drop the whole lot, dedicate my engineers to take care of this safety vulnerability,” mentioned Costlow. “However the reality is, the vast majority of them are utilizing it within the default mode, during which case there’s no vulnerability. So, if I’ve taken my individuals off all of the vital work that they’re doing, and I’ve mentioned, ‘go repair this vulnerability, patch it proper now’ as a result of it’s a vital 10 out of 10, I’ve simply wasted an enormous period of time.”
In keeping with Costlow, the sort of state of affairs the place a developer can be utilizing a vulnerability part, however not really activating the a part of it that’s susceptible is pretty widespread.
The newest replace to Azul Vulnerability Detection makes use of a curated data base that maps CVEs to courses which can be used at runtime. The corporate constructed this by trying on the CVE database and asking how lots of the parts really associated to Java. Subsequent, it went by these parts and found out what elements of them are problematic and why.
This curated database permits Azul to flag if one of many susceptible courses within the CVE database is definitely being utilized by the parts in a Java software, or if the applying is utilizing different courses of a susceptible part that aren’t thought-about to be susceptible items.
“What Azul does with vulnerability detection that’s totally different from lots of the different scanners is we regularly watch that software to say, ‘did you really use the factor?’ It’s one factor to have the susceptible part. Individuals have susceptible parts. There are various issues that pose a danger to you, however the query is, do you really use it in a manner that poses a danger to you? What we discovered, is that fairly usually that reply is not any,” Costlow mentioned.