Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/
Discover, assess and mitigate known vulnerabilities in your Java projects
Eclipse Steady supports software development organizations in regards to the secure use of open-source components during application development. The tool analyzes Java applications in order to:
As such, it addresses the OWASP Top 10 security risk A6, Vulnerable and Outdated Components, which is often the root cause of data breaches: snyk.io/blog/owasp-top-10-breaches
In comparison to other tools, the detection is code-centric and usage-based, which allows for more accurate detection and assessment than tools relying on meta-data. It is a collection of client-side scan tools, microservices and rich OpenUI5 Web frontends.
Please note the following:
As a consequence, we recommend Steady primarily for organizations that can afford (a) hosting Steady on their internal cloud and (b) dedicating resources to contribute to the vulnerability information in Project KB.
This section provides the bare minimum to setup Steady and to use its Maven plugin for scanning a Java application.
The Steady backend, a Docker Compose application, stores information about open-source vulnerabilities and scan results. It has to be installed once, ideally on a dedicated host, and must be running during application scans.
Download and run setup-steady.sh
to install the backend on any host with a recent version of Docker/Docker Compose (the use of profiles requires a version >= 1.28, installable with pip install docker-compose
or as described here).
Notes:
setup-steady.sh
or directly using start-steady.sh -s ui
, the backend will be bootstrapped by downloading and processing code-level information of hundreds of vulnerabilities maintained in the open-source knowledge base Project KB. While the bootstrapping can take up to two hours, later updates will import the delta on a daily basis. Run start-steady.sh -s none
to shut down all Docker Compose services of the backend.A Steady scan client, e.g. the Maven plugin, analyzes the code of your application project and its dependencies. Being available on Maven Central, the clients do not require any installation. However, they need to be run whenever your application’s code or dependencies change.
In case application scan and Steady backend run on different hosts, the scan clients must be configured accordingly. Just copy and adjust the file ~/.steady.properties
, which has been created in the user’s home directory during the backend setup.
For Maven, cd
into your project and run the app
analysis goal as follows (see here for more information about available goals):
mvn org.eclipse.steady:plugin-maven:3.2.5:app
Note: During application scans, a lot of information about its dependencies is uploaded to the backend, which makes that the first scan takes significantly more time than later scans of the same application.
Originally developed by SAP Security Research, the tool has been productively used at SAP between late 2016 and April 2021. As of April 2017, the tool was the officially recommended open-source scan solution for Java (and then Python) applications at SAP. As of April 2019, it has been used to perform 1M+ scans of ~1000 Java and Python development projects.
The tool approach is best described in the following scientific papers, please cite these if you use the tool for your research work:
Eclipse Steady has a distributed architecture composed of a couple of Spring Boot microservices, two Web frontends and a number of client-side scanners/plugins, which perform the actual analysis of application and dependency code on build systems or developer workstations.
To build/test the entire project, the following tools are needed:
plugin-maven
pip
, virtualenv
and setuptools
(pip install -r requirements.txt
) for the analysis of Python applications using cli-scanner
plugin-gradle
.Eclipse Steady is built with Maven. The module lang-python
requires Python 3 to be installed. To enable the support for Gradle the profile gradle
needs to be activated (-P gradle
).
mvn clean install
During the install
ation phase of mvn
all the tests are run. Long-running tests can be disabled with the flag -DexcludedGroups=org.eclipse.steady.shared.categories.Slow
.
Due to the current lack of an authentication and authorization mechanism, it is NOT recommended to run the Web frontends and server-side microservices on systems accessible from the Internet.
Other limitations:
META-INF/versions
are simply ignored)This work is partly funded by the EU under the H2020 research project SPARTA (Grant No.830892).
Documentation · Support · Contributing · Deploy guide · Scan guide · Vulnerability database · Blog