Welcome to the SecureChain Java Library Vulnerability Remediation Workflow guide. Our comprehensive process ensures that we identify, fix, and validate Java libraries to make them secure and free from known vulnerabilities. Below you'll find an in-depth guide on how we go through the remediation process, from scanning dependencies to publishing a safe artifact.
Note: A graphical representation of the workflow process is also included for easy understanding.
We begin by scanning the entire dependency chain of a given artifact. This helps us identify all vulnerable components.
- Safe Version Replacement: If a safe version exists, we exclude the vulnerable version and include the safe one.
- Manual Fixes: In cases where no safe version exists, we manually apply known patches to the code while ensuring backward compatibility.
To make it clear that a library has undergone our remediation process, we add a postfix to the artifact's group id.
Once the modified library is ready, it undergoes another round of scanning with external application security tools to check for any remaining vulnerabilities or potential backdoors.
We perform rigorous API testing to compare the behavior of the library before and after our modifications. This is to ensure that the functionality of the library remains intact.
When we are confident that a library is secure and functions as expected, we publish it to a secure, accessible artifact repository.
Currently, we only support OSS whose source code is:
- written in a Java programming language;
- based on the Git VCS;
- built using one of the following build tools: Gradle or Maven.