• Stars
    star
    518
  • Rank 85,414 (Top 2 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/

Eclipse Steady (Incubator Project)

License PRs Welcome Maven Central CII Best Practices REUSE status

Discover, assess and mitigate known vulnerabilities in your Java projects

Eclipse Steady supports software development organizations in regards to the secure use of open-source components during application development. The tool analyzes Java applications in order to:

  • detect whether they depend on open-source components with known vulnerabilities,
  • collect evidence regarding the execution of vulnerable code in a given application context (through the combination of static and dynamic analysis techniques), and
  • support developers in the mitigation of such dependencies.

As such, it addresses the OWASP Top 10 security risk A6, Vulnerable and Outdated Components, which is often the root cause of data breaches: snyk.io/blog/owasp-top-10-breaches

In comparison to other tools, the detection is code-centric and usage-based, which allows for more accurate detection and assessment than tools relying on meta-data. It is a collection of client-side scan tools, microservices and rich OpenUI5 Web frontends.

Disclaimer

Please note the following:

  • Steady can only find vulnerabilities maintained in Project KB, which is Steady's only source of vulnerability information. The reason is that only Project KB provides information about fix commits in a systematic way and in machine readable format. As of September 2022, Project KB contains roughly 700+ vulnerabilities, with little coverage of the years 2021 and later.
  • The ideal Steady setup is to run the Docker Compose application on an internal cloud, with CI/CD systems and developer work stations connecting to that instance. This makes the operation of Steady more heavy-weight compared to other open source vulnerablity scanners like OWASP Dependency Check. This architecture comes with some advantages and disadvantages. For example, scan results from different systems are uploaded to such central server, which offers a user interface with various features to explore application dependencies and understand vulnerability exploitability. On the other hand, the architecture makes it more difficult to run some quick tests.

As a consequence, we recommend Steady primarily for organizations that can afford (a) hosting Steady on their internal cloud and (b) dedicating resources to contribute to the vulnerability information in Project KB.

Quickstart

This section provides the bare minimum to setup Steady and to use its Maven plugin for scanning a Java application.

  1. The Steady backend, a Docker Compose application, stores information about open-source vulnerabilities and scan results. It has to be installed once, ideally on a dedicated host, and must be running during application scans.

    Download and run setup-steady.sh to install the backend on any host with a recent version of Docker/Docker Compose (the use of profiles requires a version >= 1.28, installable with pip install docker-compose or as described here).

    Notes:

    • Tested with Docker 20.10.11 + Docker Compose 1.29.2 on Intel Macs with macOS 12.3.1, and Docker 20.10.15 + Docker Compose 1.29.0 on Ubuntu 20.04.4 and 18.04.6.
    • During its first execution, triggered by the setup script or directly using start-steady.sh -s ui, the backend will be bootstrapped by downloading and processing code-level information of hundreds of vulnerabilities maintained in the open-source knowledge base Project KB. While the bootstrapping can take up to two hours, later updates will import the delta on a daily basis. Run start-steady.sh -s none to shut down all Docker Compose services of the backend.
  2. A Steady scan client, e.g. the Maven plugin, analyzes the code of your application project and its dependencies. Being available on Maven Central, the clients do not require any installation. However, they need to be run whenever your application's code or dependencies change.

    In case application scan and Steady backend run on different hosts, the scan clients must be configured accordingly. Just copy and adjust the file ~/.steady.properties, which has been created in the user's home directory during the backend setup.

    For Maven, cd into your project and run the app analysis goal as follows (see here for more information about available goals):

    mvn org.eclipse.steady:plugin-maven:3.2.0:app

    Note: During application scans, a lot of information about its dependencies is uploaded to the backend, which makes that the first scan takes significantly more time than later scans of the same application.

History

Originally developed by SAP Security Research, the tool has been productively used at SAP between late 2016 and April 2021. As of April 2017, the tool was the officially recommended open-source scan solution for Java (and then Python) applications at SAP. As of April 2019, it has been used to perform 1M+ scans of ~1000 Java and Python development projects.

The tool approach is best described in the following scientific papers, please cite these if you use the tool for your research work:

Features

  • Detection of vulnerable code is realized by discovering method signatures in Java archives and comparing their source and byte code with the vulnerable and fixed version (as known from the fix commit). As such, the detection is more accurate than for approaches based on meta-data (less false-positives and false-negatives). In particular, it is robust against rebundling, a very common practice in the Java ecosystem.
  • Assessment of vulnerable dependencies by application developers and security experts is supported by information about the potential and actual execution of vulnerable code. This information is based on call graph analysis and trace information collected during JUnit and integration tests. Going down to the granularity of single methods, application developers are presented with the potential and actual call stack from application code till vulnerable code.
  • The addition of new vulnerabilities to the knowledge base does not require the re-scan of applications. In other words, right after an addition to the knowledge base, it is immediately known whether previously scanned applications are affected or not.
  • Mitigation proposals consider the reachable share of dependencies, i.e., the set of methods that can be potentially reached from application code union the actual executions observed during tests. This information is used to compute several metrics aiming to let developers chose the best non-vulnerable replacement of a vulnerable dependency (best in regards to non-breaking and with least regression likelihood).
  • Individual findings can be exempted if developers come to the conclusion that a vulnerability cannot be exploited in a given application-context. This information can be maintained in an auditable fashion (incl. timestamp and author information) and typically prevents build exceptions during CI/CD pipelines.
  • Organization-internal CERTs can query for all applications affected by a given vulnerability. This feature supports, for instance, larger development organizations with many software applications developed by distributed and de-central development units.

Requirements

Eclipse Steady has a distributed architecture composed of a couple of Spring Boot microservices, two Web frontends and a number of client-side scanners/plugins, which perform the actual analysis of application and dependency code on build systems or developer workstations.

To build/test the entire project, the following tools are needed:

Build and Test

Eclipse Steady is built with Maven. The module lang-python requires Python 3 to be installed. To enable the support for Gradle the profile gradle needs to be activated (-P gradle).

mvn clean install

During the installation phase of mvn all the tests are run. Long-running tests can be disabled with the flag -DexcludedGroups=org.eclipse.steady.shared.categories.Slow.

Limitations

Due to the current lack of an authentication and authorization mechanism, it is NOT recommended to run the Web frontends and server-side microservices on systems accessible from the Internet.

Other limitations:

  • Static and dynamic analyses are not implemented for Python
  • Java 9 multi-release archives are not supported (classes below META-INF/versions are simply ignored)

Acknowledgement

This work is partly funded by the EU under the H2020 research project SPARTA (Grant No.830892).

Documentation ยท Support ยท Contributing ยท Deploy guide ยท Scan guide ยท Vulnerability database ยท Blog

More Repositories

1

mosquitto

Eclipse Mosquitto - An open source MQTT broker
C
7,649
star
2

che

Kubernetes based Cloud Development Environments for Enterprise Teams
TypeScript
6,868
star
3

jetty.project

Eclipse Jettyยฎ - Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more
Java
3,655
star
4

paho.mqtt.android

MQTT Android
Java
2,708
star
5

paho.mqtt.golang

Go
2,381
star
6

eclipse-collections

Eclipse Collections is a collections framework for Java with optimized data structures and a rich, functional and fluent API.
Java
2,283
star
7

paho.mqtt.java

Eclipse Paho Java MQTT client library. Paho is an Eclipse IoT project.
Java
2,095
star
8

paho.mqtt.python

paho.mqtt.python
Python
1,946
star
9

sumo

Eclipse SUMO is an open source, highly portable, microscopic and continuous traffic simulation package designed to handle large networks. It allows for intermodal simulation including pedestrians and comes with a large set of tools for scenario creation.
1,902
star
10

paho.mqtt.c

An Eclipse Paho C client library for MQTT for Windows, Linux and MacOS. API documentation: https://eclipse.github.io/paho.mqtt.c/
C
1,736
star
11

eclipse.jdt.ls

Java language server
Java
1,410
star
12

mraa

Linux Library for low speed IO Communication in C with bindings for C++, Python, Node.js & Java. Supports generic io platforms, as well as Intel Edison, Intel Joule, Raspberry Pi and many more.
C
1,349
star
13

paho.mqtt.embedded-c

Paho MQTT C client library for embedded systems. Paho is an Eclipse IoT project (https://iot.eclipse.org/)
C
1,307
star
14

openvsx

An open-source registry for VS Code extensions
Java
1,181
star
15

paho.mqtt.javascript

paho.mqtt.javascript
JavaScript
1,145
star
16

paho.mqtt.cpp

C++
976
star
17

milo

Eclipse Miloโ„ข - an open source implementation of OPC UA (IEC 62541).
Java
976
star
18

omr

Eclipse OMRโ„ข Cross platform components for building reliable, high performance language runtimes
C++
917
star
19

xtext

Eclipse Xtextโ„ข is a language development framework
Java
715
star
20

upm

UPM is a high level repository that provides software drivers for a wide variety of commonly used sensors and actuators. These software drivers interact with the underlying hardware platform through calls to MRAA APIs.
C++
651
star
21

microprofile

Repository for important documentation - the index to the project / community
Java
635
star
22

californium

CoAP/DTLS Java Implementation
Java
620
star
23

leshan

Java Library for LWM2M
Java
614
star
24

paho.mqtt-spy

mqtt-spy is an open source desktop & command line utility intended to help you with monitoring activity on MQTT topics
Java
605
star
25

sprotty

A diagramming framework for the web
TypeScript
514
star
26

paho.mqtt.m2mqtt

C#
513
star
27

jifa

๐Ÿ”ฌ Online Heap Dump, GC Log, Thread Dump & JFR File Analyzer.
Java
509
star
28

buildship

The Eclipse Plug-ins for Gradle project.
Java
507
star
29

lsp4j

A Java implementation of the language server protocol intended to be consumed by tools and language servers implemented in Java.
Java
473
star
30

kura

Eclipse Kuraโ„ข project
Java
469
star
31

wakaama

Eclipse Wakaama is a C implementation of the Open Mobile Alliance's LightWeight M2M protocol (LWM2M).
C
465
star
32

streamsheets

An open-source tool for processing stream data using a spreadsheet-like interface.
JavaScript
449
star
33

paho.mqtt.rust

paho.mqtt.rust
Rust
422
star
34

hawkbit

Eclipse hawkBitโ„ข
Java
416
star
35

eclipse-collections-kata

Eclipse Collections Katas
Java
411
star
36

hono

Eclipse Honoโ„ข Project
Java
378
star
37

repairnator

Software development bots for Github. Join the bot revolution! ๐ŸŒŸ๐Ÿค–๐ŸŒŸ๐Ÿ’ž
Java
370
star
38

ponte

Ponte Project
JavaScript
360
star
39

birt

Eclipse BIRTโ„ข The open source reporting and data visualization project.
Java
355
star
40

paho.golang

Go libraries
Go
324
star
41

rdf4j

Eclipse RDF4J: scalable RDF for Java
Java
323
star
42

paho.mqtt-sn.embedded-c

Paho C MQTT-SN gateway and libraries for embedded systems. Paho is an Eclipse IoT project.
C++
313
star
43

lemminx

XML Language Server
Java
255
star
44

vorto

Vorto Project
Java
221
star
45

tahu

Eclipse Tahu addresses the existence of legacy SCADA/DCS/ICS protocols and infrastructures and provides a much-needed definition of how best to apply MQTT into these existing industrial operational environments.
Java
220
star
46

kapua

Java
218
star
47

elk

Eclipse Layout Kernel - Automatic layout for Java applications.
Java
211
star
48

jnosql

Eclipse JNoSQL is a framework which has the goal to help Java developers to create Jakarta EE applications with NoSQL.
Java
210
star
49

corrosion

Eclipse Corrosion - Rust edition in Eclipse IDE
Java
199
star
50

capella

Open Source Solution for Model-Based Systems Engineering
Java
197
star
51

dirigible

Eclipse Dirigibleโ„ข Project
JavaScript
196
star
52

microprofile-config

MicroProfile Configuration Feature
Java
182
star
53

wildwebdeveloper

Simple and productive Web Development Tools in the Eclipse IDE
Java
181
star
54

pdt

PHP Development Tools project (PDT)
PHP
178
star
55

org.aspectj

Java
172
star
56

xacc

XACC - eXtreme-scale Accelerator programming framework
C++
137
star
57

thingweb.node-wot

thingweb.node-wot
TypeScript
130
star
58

microprofile-rest-client

MicroProfile Rest Client
Java
124
star
59

tycho

Tycho project repository (tycho)
Java
119
star
60

microprofile-conference

Microprofile.io Demo Code - Web Services Conference Application
Java
117
star
61

microprofile-fault-tolerance

microprofile fault tolerance
Java
115
star
62

microprofile-samples

Micro Profile Samples
Java
115
star
63

xtext-core

xtext-core
Java
114
star
64

microprofile-open-api

Microprofile open api
Java
112
star
65

jbom

Java
111
star
66

gef

Eclipse GEFโ„ข
Java
111
star
67

transformer

Eclipse Transformer provides tools and runtime components that transform Java binaries, such as individual class files and complete JARs and WARs, mapping changes to Java packages, type names, and related resource names.
Java
108
star
68

paho.mqtt.testing

An Eclipse Paho project - a Python broker for testing
Python
104
star
69

tinydtls

Eclipse tinydtls
C
102
star
70

xtext-xtend

xtext-xtend
Java
100
star
71

microprofile-graphql

microprofile-graphql
Java
98
star
72

microprofile-lra

microprofile-lra
Java
97
star
73

microprofile-health

microprofile-health
Java
95
star
74

microprofile-metrics

microprofile-metrics
Java
94
star
75

kuksa.val

kuksa.val
C++
93
star
76

sw360

SW360 project
Java
92
star
77

microprofile-jwt-auth

Java
92
star
78

mosaic

Eclipse MOSAIC is a Multi-Domain and Multi-Scale Simulation Framework for Automated and Connected Mobility Scenarios.
Java
88
star
79

nebula

Nebula Project
Java
84
star
80

microprofile-reactive-streams-operators

Microprofile project
Java
79
star
81

mosquitto.rsmb

Mosquitto rsmb
C
75
star
82

microprofile-starter

MicroProfile project generator source code
Java
69
star
83

aCute

Eclipse aCute - C# edition in Eclipse IDE
Java
65
star
84

ditto-examples

Eclipse Dittoโ„ข: Digital Twin framework - Examples
Java
63
star
85

epsilon

Epsilon is a family of Java-based scripting languages for automating common model-based software engineering tasks, such as code generation, model-to-model transformation and model validation, that work out of the box with EMF (including Xtext and Sirius), UML (including Cameo/MagicDraw), Simulink, XML and other types of models.
Java
61
star
86

lsp4e

Language Server Protocol support in Eclipse IDE
Java
60
star
87

tm4e

TextMate support in Eclipse IDE
Java
60
star
88

californium.tools

Californium project
Java
59
star
89

microprofile-reactive-messaging

Java
59
star
90

microprofile-opentracing

microprofile-opentracing
Java
57
star
91

eclemma

๐ŸŒ˜ใ€€Java Code Coverage for Eclipse IDE
Java
57
star
92

texlipse

Eclipse Texlipse
Java
56
star
93

mita

mita
Xtend
55
star
94

dartboard

Dart Plugin for Eclipse
Java
55
star
95

jnosql-databases

This project contains Eclipse JNoSQL databases
Java
54
star
96

windowbuilder

Eclipse Windowbuilder
Java
54
star
97

xtext-eclipse

xtext-eclipse
Java
49
star
98

adore

Eclipse ADORe is a ROS based modular software library and toolkit for decision making, planning, control and simulation of automated vehicles supporting CARLA and SUMO.
Makefile
48
star
99

packages

IoT Packages project
Smarty
46
star
100

amlen

Message Broker for IoT/Mobile/Web. Mainly uses MQTT v3.x and v5. Aims to be easy to use, scalable and reliable
C
46
star