From Vulnerability to Victory: Mastering the CVE Lifecycle for Java Developers
anthonydahanne
0 views
21 slides
Oct 08, 2025
Slide 1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Presentation
This session provides Java developers with a comprehensive understanding of the CVE lifecycle, including how vulnerabilities are discovered, scored, and disclosed. It covers key vulnerability databases and the security tools that use them, offers practical strategies for remediation and automated de...
Slide Content
From Vulnerability to Victory:
Mastering the CVE Lifecycle for Java
Developers
?????? Anthony Dahanne, Software developer @Herodevs
@anthony.dahannet.net
framapiaf.org/@anthonydahanne
?????? October 8th 2025
?????? Devoxx Belgium
?????? presentation
content and
references ??????
Mastering the CVE Lifecycle for Java
Developers
?????? Anthony Dahanne, Software developer @Herodevs
@anthony.dahannet.net
framapiaf.org/@anthonydahanne
?????? October 8th 2025
?????? Devoxx Belgium
?????? presentation
content and
references ??????
What do you expect from this talk?
AI?
??????
AI?
??????
You already know about security
Don’t let people enter the building with your badge
Do not click on phishing email
(even if they promise you nice gifts!)
Don’t let people enter the building with your badge
Do not click on phishing email
(even if they promise you nice gifts!)
… but a software developer has other responsibilities
Open Web Application Security Project
Open Web Application Security Project
… but a software developer has other responsibilities
Your presenter for this session
☕ Java and Go developer, Cloud Architect, Devops, etc. but also community leader ??????
?????? OSS Maintainer Non Profit Orgs. President ??????
☕ Java and Go developer, Cloud Architect, Devops, etc. but also community leader ??????
?????? OSS Maintainer Non Profit Orgs. President ??????
Agenda
●Static application security testing (SAST)
●Listing your dependencies (SBOM)
●Matching your SBOM with known vulnerabilities (SCA)
○Operating Systems (OS) Dependencies vulnerabilities
○Java Dependencies vulnerabilities
○False positives and other exceptions
●Towards 0 CVEs
●Static application security testing (SAST)
●Listing your dependencies (SBOM)
●Matching your SBOM with known vulnerabilities (SCA)
○Operating Systems (OS) Dependencies vulnerabilities
○Java Dependencies vulnerabilities
○False positives and other exceptions
●Towards 0 CVEs
Drawing by MoteOo
What you ship to production
Your code
What you ship to production
Your code
Static application security testing (SAST)
●From within your ide
○FindSecurityBugs (maven / gradle plugin and local UI)
○Qodana from Jetbrains
●From CI; same list as before but we can add
○SonarQube
○Gitlab SAST (based on SemGrep)
●There are many others though, mainly commercial tools: Veracode,
Checkmarx, Mend, etc.
●From within your ide
○FindSecurityBugs (maven / gradle plugin and local UI)
○Qodana from Jetbrains
●From CI; same list as before but we can add
○SonarQube
○Gitlab SAST (based on SemGrep)
●There are many others though, mainly commercial tools: Veracode,
Checkmarx, Mend, etc.
Drawing by MoteOo
What you ship to production
Your code
Your java deps
Base image + libs
Is there a way to list them all?
What you ship to production
Your code
Your java deps
Base image + libs
Is there a way to list them all?
What exactly goes to prod?
●Shipping containers? What are the OS libs you included?
●You have to know ALL what is running in prod - pom? Build.gradle?
MANIFEST.MF ?
●The industry has seled on Software Bill of Materials (SBOMs)
○Of course, there are several formats ??????
○SPDX: a bit older, great for licenses
○CycloneDX: the industry favorite
●Shipping containers? What are the OS libs you included?
●You have to know ALL what is running in prod - pom? Build.gradle?
MANIFEST.MF ?
●The industry has seled on Software Bill of Materials (SBOMs)
○Of course, there are several formats ??????
○SPDX: a bit older, great for licenses
○CycloneDX: the industry favorite
What’s an SBOM like?
{
"type" : "library",
"bom-ref" : "pkg:maven/org.ehcache/[email protected]?type=jar" ,
"publisher" : "Terracotta Inc.",
"group" : "org.ehcache",
"name" : "ehcache",
"version" : "3.10.8",
"description" : "End-user ehcache3 jar artifact" ,
"licenses" : [
{
"license" : {
"id" : "Apache-2.0"
}
}
],
"purl" : "pkg:maven/org.ehcache/[email protected]?type=jar" ,
"externalReferences" : [
{
"type" : "website",
"url" : "http://ehcache.org"
} ]
},
group, name, version
description / summary
license (using SPDX License id)
publisher
website
purl
{
"type" : "library",
"bom-ref" : "pkg:maven/org.ehcache/[email protected]?type=jar" ,
"publisher" : "Terracotta Inc.",
"group" : "org.ehcache",
"name" : "ehcache",
"version" : "3.10.8",
"description" : "End-user ehcache3 jar artifact" ,
"licenses" : [
{
"license" : {
"id" : "Apache-2.0"
}
}
],
"purl" : "pkg:maven/org.ehcache/[email protected]?type=jar" ,
"externalReferences" : [
{
"type" : "website",
"url" : "http://ehcache.org"
} ]
},
group, name, version
description / summary
license (using SPDX License id)
publisher
website
purl
Side note: pURL vs CPE
●Package URL:
○pkg:maven/org.springframework.cloud/[email protected]
○well adapted to OSS components
○soon added to ECMA (European Computer Manufacturers Association)
○e.g. pkg:npm/@babel/[email protected] pkg:golang/golang.org/x/[email protected]
●CPE (Common Platform Enumeration):
○cpe:2.3:a:vmware:spring_cloud_bindings:2.0.0:*:*:*:*:*:*:*
○allowed automation against NVD queries
○maintained by a small group of people, centralized
○e.g. cpe:2.3:a:babel:core:7.21.0:* cpe:2.3:a:golang:x.text:0.3.7:*
●Package URL:
○pkg:maven/org.springframework.cloud/[email protected]
○well adapted to OSS components
○soon added to ECMA (European Computer Manufacturers Association)
○e.g. pkg:npm/@babel/[email protected] pkg:golang/golang.org/x/[email protected]
●CPE (Common Platform Enumeration):
○cpe:2.3:a:vmware:spring_cloud_bindings:2.0.0:*:*:*:*:*:*:*
○allowed automation against NVD queries
○maintained by a small group of people, centralized
○e.g. cpe:2.3:a:babel:core:7.21.0:* cpe:2.3:a:golang:x.text:0.3.7:*
What are the tools to generate SBOMs?
●Syft:
○OSS
○scan libraries and images
○formats: CycloneDEX, Syft, SPDX
●Maven CycloneDX plugin:
○OSS
○directly from your build
●Trivy, Snyk CLI, other vendors
●Your favorite Framework! Spring Boot >= 3.3 / Quarkus >=3.14.3
●Syft:
○OSS
○scan libraries and images
○formats: CycloneDEX, Syft, SPDX
●Maven CycloneDX plugin:
○OSS
○directly from your build
●Trivy, Snyk CLI, other vendors
●Your favorite Framework! Spring Boot >= 3.3 / Quarkus >=3.14.3
We have an SBOM! Let’s put it to work!
my-app.jar
|-MyApp.class
|-spring.jar
Ubuntu
|-openssl
SBOM.json
Software Component Analysis (SCA) Dashboard
Database(s) of
vulnerabilities?
my-app.jar
|-MyApp.class
|-spring.jar
Ubuntu
|-openssl
SBOM.json
Software Component Analysis (SCA) Dashboard
Database(s) of
vulnerabilities?
The life of a new Vulnerability
SBOM.json
SCA Dashboard
vuln!
GHSA
CVE Numbering Authority (CNAs)
Email the author,
Tell package registries,
Submit via bounty programs etc.
R
A
T
I
N
G
CVSS
NVD
Github
OSV
Local
advisories
SBOM.json
SCA Dashboard
vuln!
GHSA
CVE Numbering Authority (CNAs)
Email the author,
Tell package registries,
Submit via bounty programs etc.
R
A
T
I
N
G
CVSS
NVD
Github
OSV
Local
advisories
OS dependencies vulnerabilities
●You not only deploy a jar (or war or… ear !) but a Docker (OCI) image too!
●If you own the Dockerfile or the platform - you’re responsible for them ??????
●Hopefully, you can get rid of them
○Do you need curl, wget, bash in your image?
●Even beer: distroless base images
○Docker Hardened Images
○Chainguard Wolfi
○Rapidfort
○Minimus
●… or ask your vendor to fix the CVEs for you!
●You not only deploy a jar (or war or… ear !) but a Docker (OCI) image too!
●If you own the Dockerfile or the platform - you’re responsible for them ??????
●Hopefully, you can get rid of them
○Do you need curl, wget, bash in your image?
●Even beer: distroless base images
○Docker Hardened Images
○Chainguard Wolfi
○Rapidfort
○Minimus
●… or ask your vendor to fix the CVEs for you!
Java libraries dependencies vulnerabilities
●Stay on the latest versions!
○Try and automate your migration with Renovate for example
○Regularly check the migration guides for Spring Boot / Quarkus
○Avoid overriding versions yourself…
https://semver.org/
⚠
⚠
⚠⚠
⚠
●Stay on the latest versions!
○Try and automate your migration with Renovate for example
○Regularly check the migration guides for Spring Boot / Quarkus
○Avoid overriding versions yourself…
https://semver.org/
⚠
⚠
⚠⚠
⚠
How to deal with invalid vulnerabilities
●Beware of false positives!
○Check your SBOMs, see if no intruders got in during their generation
○Use custom policies to get rid of them
●Share and re use your triage eorts
○Software Vendor? Create and share VEX files!
○Software Customer? Ask for VEX files!
●Beware of false positives!
○Check your SBOMs, see if no intruders got in during their generation
○Use custom policies to get rid of them
●Share and re use your triage eorts
○Software Vendor? Create and share VEX files!
○Software Customer? Ask for VEX files!
●Start integrating SAST in your pipeline, any tool will do!
○Review and enable all Github/Gitlab security features
●Start generating SBOMs, even if you don’t vuln-check them yet!
●Use distroless base images as much as you can!
●Migrate before your framework minor is EOL!
●Share your Vex files!
Conclusion: towards 0 CVEs?
○Review and enable all Github/Gitlab security features
●Start generating SBOMs, even if you don’t vuln-check them yet!
●Use distroless base images as much as you can!
●Migrate before your framework minor is EOL!
●Share your Vex files!
Conclusion: towards 0 CVEs?
hps://linktr.ee/nocve
?????? presentation
content and
references ??????
?????? presentation
content and
references ??????
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 0
- Slides 21
- Age 55 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
47 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views