Since I already liked the tool before, I was quite interested to see what they have changed and was happy to do another test. The test setup partly changed: While I did scan the same repositories again (JavaSecurity and ApplicationIntrusionDetection) I did switch to their Travis CI integration and did an automatic scan after a successful build. I did scan the latest version of the pom files, the listed dependencies (their versions) therefore changed since my first scan in May 2016.
On the first run in May 2016, one critical vulnerability in Apache Commons BeanUtils has been reported. Now there are two more: One in Apache Commons FileUpload and one in Xalan. Plus another medium one in FileUpload.
Here the scan changed from zero vulnerabilities to one medium in OGNL.
All discovered vulnerabilities have been disclosed before my first scan in May, so they did a nice job updating their scanner and detection capabilities since then.
What I extremely like is how they display the dependency graph of a vulnerable dependency, enabling you to easily figure out its origin:
There are plenty more options to find out more details about an identified vulnerability and whether or not it has been fixed (including the fixed version). There seem to be some cases where this is not working correctly (see below with Spring AOP or Spring Beans, where the latest version is older than my used version), but I’m sure they will fix this small issue in a future update.
Use it! It is free and easy to use. Travis CI integration is working smoothly and the setup is described in their docs section for this and other scenarios. The reports provide a lot of useful details to help you either update the dependency or live with the vulnerability. The only thing I’m missing right now is a badge to display the scan results in a GitHub repository readme…