Azul has introduced an replace to its Vulnerability Detection resolution that guarantees to scale back false positives in Java vulnerability detection by as much as 99% by solely flagging vulnerabilities in code paths which can be truly used.
In line with Azul, typical scanners scan JAR information for elements by title, reasonably than what the JVM truly masses.
Erik Costlow, senior director of product administration at Azul, defined due to the best way Java functions work, every element comprises many lessons, and regardless that a element could also be within the Frequent Vulnerabilities and Exposures (CVE) database, an software won’t be loading the a part of the element that’s susceptible.
“Log4j, for instance, has over 10,000 lessons, and there’s solely like 5 – 6 of them which can be truly susceptible. So, what we discover is that many individuals use the susceptible issues, however they use it in a secure manner,” he mentioned.
As one other instance, CVE-2024-1597 describes a vital (9.8 out of 10 rating) vulnerability in pgjdbc, which is a PostgreSQL JDBC driver. The vulnerability permits SQL injection if PreferQueryMode=SIMPLE is used. Nonetheless, the entry within the CVE database says “Be aware this isn’t the default. Within the default mode there isn’t any vulnerability.”
A developer will be utilizing this element and until they exit of their manner and use PreferQueryMode=SIMPLE, they’re secure, Costlow defined.
“What occurs is many individuals take a look at this rating, and so they say it’s a ten out of 10, drop every thing, dedicate my engineers to take care of this safety vulnerability,” mentioned Costlow. “However the reality is, nearly all of them are utilizing it within the default mode, wherein case there’s no vulnerability. So, if I’ve taken my individuals off all of the necessary work that they’re doing, and I’ve mentioned, ‘go repair this vulnerability, patch it proper now’ as a result of it’s a vital 10 out of 10, I’ve simply wasted an enormous period of time.”
In line with Costlow, any such situation the place a developer can be utilizing a vulnerability element, however not truly activating the a part of it that’s susceptible is pretty widespread.
The most recent replace to Azul Vulnerability Detection makes use of a curated information base that maps CVEs to lessons which can be used at runtime. The corporate constructed this by trying on the CVE database and asking how most of the elements truly associated to Java. Subsequent, it went by means of these elements and discovered what elements of them are problematic and why.
This curated database allows Azul to flag if one of many susceptible lessons within the CVE database is definitely being utilized by the elements in a Java software, or if the applying is utilizing different lessons of a susceptible element that aren’t thought of to be susceptible items.
“What Azul does with vulnerability detection that’s totally different from most of the different scanners is we frequently watch that software to say, ‘did you truly use the factor?’ It’s one factor to have the susceptible element. Individuals have susceptible elements. There are numerous issues that pose a threat to you, however the query is, do you truly use it in a manner that poses a threat to you? What we discovered, is that fairly typically that reply is not any,” Costlow mentioned.
