Oracle Cloud Infrastructure Documentation

Java Libraries

Select Java libraries to view the list of Java libraries associated with the selected fleet.

The Java libraries detected during the Scan for Java Libraries are listed in the table.

The Summary of detected libraries (Last 90 days) section provides:
  • Total libraries detected: The number of libraries found on the classpath as identified by static scan(s).
  • Libraries detected by dynamic scan: The number of libraries used at runtime as identified by dynamic scan(s).

The Vulnerable library breakdown (last 90 days) summarizes the the count of libraries by their vulnerability severity - high, medium, and low.

In the Search and Filter text field, you can filter the displayed resources by using the drop-down menu. The available options include:

  • Library: filter the list of Java libraries by application libraries
  • Highest CVSS score: filter the list of Java libraries by CVSS score
  • Confidence level: filter the list of Java libraries by confidence level

Use Applied filters drop-down to select the required time period for displaying the resources. By default, resources pertaining to last 7 days are displayed.

You can customize the table columns by using the Manage columns icon.

The following Java libraries information is presented in the table:

  • Library: application Java libraries that were detected during the scan
  • Version: version number of the Java library
  • Vulnerabilities: an array of vulnerabilities, each identified by a GitHub Security Advisory (GHSA) ID or a Common Vulnerabilities and Exposures (CVE) ID number. This is a unique qualifier assigned when a new advisory is created on GitHub or added to the GitHub Advisory Database from any of the supported sources. Select the associated link to view the details on the GitHub Security Advisory (https://github.com/advisories) site or National Vulnerability Database (NVD) (https://nvd.nist.gov/vuln) site respectively.
  • Highest CVSS score: the CVSS scoring system is an indication of the security vulnerability associated with the score. JMS uses CVSS version 3.0 scoring system. The scores are provided by the National Vulnerability Database and denote the following:
    • 7 - 10: This library has vulnerabilities with High severity.
    • 4 - 6.9: This library has vulnerabilities with Medium severity.
    • 0.1 - 3.9: This library has vulnerabilities with Low severity.
    • 0: This library has no vulnerabilities.
    • Unknown: The severity of the vulnerabilities in this library is unknown. There could be a lack of information needed to determine the CVSS scores, but this doesn't guarantee that there are no vulnerabilities.
      Note

      • Java libraries are identified using static analysis based on well-known signatures, which may miss intentionally obfuscated or less well-known libraries. Scan for Java Libraries might not have identified all library dependencies of the application.
      • Analysis might not have identified all vulnerabilities.
      • Information about vulnerabilities in identified libraries that were last refreshed five hours ago could have outdated information. To detect these new vulnerabilities, we recommend that you perform the scan for Java libraries frequently.

      Therefore, the results of the analysis are not to be treated as absolute. You might need to run other security scans.

  • Confidence level: the confidence level of detection of vulnerabilities in a library.
    • High: high confidence in identification of library vulnerabilities as the library's group ID was present
    • Medium: medium confidence in identification of library vulnerabilities as the library's group ID was absent and a derived group ID was used
    • Low: low confidence in identification of library vulnerabilities as the library's group ID was absent and unable to derive a group ID
  • Detected dynamically: indicates whether library was loaded dynamically by your applications at runtime.
  • Deployed Application: the deployed applications that use the libraries
  • Managed Instance: the number of instances where the libraries have been detected
  • First reported: date and time when the libraries were first detected
  • Last reported: date and time when the libraries were last reported

From the Actions menuvertical ellipsis icon, select View all vulnerabilities. The Vulnerabilities page opens and includes a table that displays the vulnerabilities and CVSS score.

In the Items per page field, choose 10, 25, 50, or 100 items to display. Select the header of a column to sort the list based on the title of the column.

Select the library name to view the details. See Java Library Information.