About Sonatype

Sonatype in the News

Insight Application Health Check

Published: July 31, 2012 09:56


Sonatype's Insight Application Health Check is a small utility that scans Java applications for any security vulnerabilities and license issues. The tool gives organizations a detailed look into the components being used within Java applications to determine whether any packages or libraries being used are out of date or contain any known vulnerabilities. Users can run the application and get a summary of the results for free. To get the full details, however, the user will have to purchase the tool for $499. For a limited time, Sonatype is offering the full reports for only $99.

The Application Check can be used by both businesses building their own applications as well as those who bought or downloaded a third-party software for use. Businesses can make sure that the application they are using won't somehow act as a backdoor to the network because of an exploitable vulnerability.

Why Check Apps?

Statistics provided by Sonatype paint a bleak picture. More than 80 percent of a typical Java application consists of existing open-source libraries and frameworks. Over 70 percent of developers tend to find reusable code snippets and dependencies by searching online, but it's a challenge to keep up with update announcements for each component. Only a third of companies are aware of what reusable code and dependences are being used in their applications in the first place. If there is a security vulnerability in one of these code snippets, it gets integrated into the application.

This isn't just a theoretical problem. There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and Web frameworks in one year, Sonatype told me. For example, Google Web Toolkit, a popular software development framework that allows web developers to create and maintain complex JavaScript front-end applications in Java, is downloaded 17.7 million times a year, despite having known vulnerabilities.

Setup

Setup is a matter of downloading and running the Java application from the Sonatype website. The scanner can handle JAR, WAR and ZIP files. The application asks for an email address to which it can send the completed report and the directory path to the Java application. After I ran the scan, the report was sent to my inbox. The application offers only a summary report with the free version. Paid users receive a token that is entered into the application. With the code in place, all the reports contain full information.

Report

The report has four tabs, Summary, Security Issues, License Analysis, and Unidentified Artifacts. The summary page has visual graphics and statistics about the scan, such as the number of security vulnerabilities and license alerts found, as well as the number of components used in the application.

The Security Issues page is a long list of vulnerabilities that were found. Threat Level is a scale of one through 10 the application uses to indicate the severity of the issues detected. Each entry lists the universal identifier from sources such as Common Vulnerability Errors or the Open Source Vulnerability Database to indicate what vulnerability was found, and the actual file or component the vulnerability was found in.

License Analysis is yet another list, this one showing all the licenses being used by various libraries and components. The scanner looks for conflicts between the multiple licenses. Like the threat level for the previous page, each entry has a scale for License Threat and the file or component protected by that license.

Clicking on the entry on either Security Issues or License Analysis pages displays some more information about the detected item. On the security page, clicking on the actual vulnerability code takes the user to the appropriate lookup page for CVE or OSVDB. The detail view also lists in which version the particular vulnerability was fixed.

The final Unknown Artifacts page contains items the scanner couldn't recognize that would require manual investigation.

The Paces

I ran the scanner against four applications I downloaded online, as well as against two applications developed internally. Two of the applications are popular open-source development tools, one was a commercially available game, and the other was a commercial productivity tool.

The first software I scanned was Continuum, from the Apache Software Foundation. Apache Continuum is an integration server for building Java-based projects. It allows businesses to ensure new code tweaks aren't going to break the application and is quite handy for a multi-developer multi-module project.

Continuum returned several serious vulnerabilities, several within Java Struts, a framework used to handle requests made by the client of Web browsers. Another component, Jetty, which provides Java applications with a built-in Web server, has a vulnerability, which exploited, could cause a denial of service condition. Another vulnerability in the Spring framework could be exploited with a malicious Java file.

Knowing that the software has vulnerabilities is useful, since the organization can now make an educated decision on whether or not to use the tool. If the decision is to go ahead and use it, then the organization can take steps to mitigate the vulnerability, such as creating firewall rules or configuring a Web application firewall. Knowing about risks helps organizations take action.

The second and third applications, Artifactory and JIRA from Atlassian, had severe and moderate vulnerabilities. What was more important in this case was the fact that the scanner found a problem with one of the licenses for a software component being used in JIRA. The tool also looks for situations where the code being used exposes the code owner to "copyleft" issues.

Copyleft is a term used to describe a license that requires the application owner to provide the source code and other information necessary to reproduce or modify the work. JIRA had included a code snippet that used "Gnu public library 2.0+, MPL 1.1 non-standard license." However, the code declared only MPL 1.1, with no mention of Gnu's libraries, which requires the source code to be released. The detailed view explained which versions of the component (older and newer) had the vulnerability and when it was fixed. The idea is that if you know when the update was released, you may be able to  recompile with the newer library. However, this part of the view is really confusing, and I wound up just looking to see if a newer version was available.

For the commercial game, the scanner claimed no open-source libraries or dependencies had been used, so the report contained no information. This pointed out one of the issues I had with this tool. While it's great to be able to tell when the software has insecure elements and I should either download an update and fix the problem, or not use the software because of known issues, the scanner was limited to scanning only open-source components.

If the code was using proprietary code, the scanner was useless. This would mean the company would have to have one tool for open source software and another for closed-source software. That's a bit more complex than it needs to be.

There were no security issues with the two custom-developed Java applications, but both had copyleft issues with the licenses. This is useful for a business planning on keeping the software closed and not making the source code available, since the scanner shows there are components being used that would require the code to be available.

Forewarned is Forearmed

Sonatype's Insight Application Health Check can help companies understand what kinds of security and license issues there may be in the software being used within the organization. Whether or not anything is done about them is a separate question. Still, businesses can't make educated decisions on how to manage risk if they aren't aware of the situation, and this little utility can help in that regard. There is a lot of room for improvementssuch as clearer reports, the ability to track down issues to actual lines of code, instead of just the name of the component, and the ability to scan closed-source software. For now, the app rates a solid 3, but I could see it improving over the next few months.

Pros

Easy to use. Minimal requirements. Gives clear list of the dependencies and components where the vulnerabilities are.

Cons

Must have access to Java WAR, JAR or other binary. Looks only at open-source code components. Detailed view explaining the errors and conflict versions is confusing.

Bottom Line

Useful for a small development company or for a business subject to strong regulations, Sontaype Insight Application Check provides a detailed list of licensing and security vulnerabilities that exist in production code.

PC Magazine

News Source Pc Magazine