Java package scanning

Software vulnerabilities are weaknesses that can cause an accidental system failure or provide bad actors a means to compromise your software. To help you identify vulnerabilities and mitigate risk, Artifact Analysis provides two types of Java (Maven) package scanning:

• The On-Demand Scanning API allows you to manually scan container images for vulnerabilities in Java packages, either locally on your computer or remotely in Artifact Registry or Container Registry (Deprecated).

• The Container Scanning API allows you to automatically scan Java application packages each time you push an image to Artifact Registry.

See pricing to learn more about the costs associated with scanning container images.

Vulnerability sources

Artifact Analysis supports vulnerability scanning for Java (Maven) packages within a container image. The vulnerability data is obtained from the GitHub Advisory Database.

In most cases, each vulnerability is assigned a CVE ID and this ID becomes the main identifier for that vulnerability. In cases where there is no CVE ID assigned to a vulnerability, a GHSA ID is assigned as identifier instead. If later on that vulnerability gets a CVE ID, then the vulnerability ID is updated to match the CVE. See Check for a specific vulnerability in a project for more information.

Supported versions

Artifact Analysis supports Maven packages that follow the Maven naming conventions. If the package version includes spaces, it won't be scanned.

Severity levels for vulnerabilities

Artifact Analysis uses the following severity levels:

• Critical
• High
• Medium
• Low
• Minimal

The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.

Two types of severity are associated with each vulnerability:

• Effective severity - Depending on the vulnerability type:
  • OS packages - The severity level assigned by the Linux distribution maintainer. If these severity levels are unavailable, Artifact Analysis uses the severity value from the note provider, (NVD). If NVD's CVSS v2 rating is unavailable, Artifact Analysis uses the CVSS v3 rating from NVD.
  • Language packages - The severity level assigned by the GitHub Advisory Database, with a slight difference: Moderate is reported as Medium.

• CVSS score - The Common Vulnerability Scoring System score and associated severity level, with two scoring versions:
  • CVSS 2.0 - Available when using the API, the Google Cloud CLI, and the GUI.
  • CVSS 3.1 - Available when using the API and the gcloud CLI.

For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. You can determine the vulnerability score relevant for your project.

What's next

• On-demand Java scanning Quickstart.
• Automate Java package scanning.
• Learn how automatic OS and Java scanning work together in Artifact Registry.