Java package scanning

Software vulnerabilities are weaknesses that can either cause an accidental system failure or be intentionally exploited. The On-Demand Scanning API allows you to manually scan container images for vulnerabilities in system packages and vulnerabilities in Maven packages.

See pricing to learn more about the costs associated with scanning container images.

Vulnerability sources

The On-Demand Scanning API supports Java vulnerability scanning for Maven packages within a container image. The vulnerability data is obtained from the GitHub Advisory Database.

Additionally, it also scans the container for system package vulnerabilities. See the container scanning overview for more information.

Supported versions

Java vulnerability scanning supports Maven packages that follow the Maven naming conventions. If the package version includes spaces, it won't be scanned.

Severity levels for vulnerabilities

On-Demand Scanning uses the following severity levels:

  • Critical
  • High
  • Medium
  • Low
  • Minimal

The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.

Two types of severity are associated with each vulnerability:

  • Effective severity - Depending on the vulnerability type:

    • OS packages - The severity level assigned by the Linux distribution. If distribution-specific severity levels are unavailable, On-Demand Scanning uses the severity level assigned by the note provider.
    • Language packages - The severity level assigned by the GitHub Advisory Database, with a slight difference: Moderate is reported as Medium.
  • CVSS score - The Common Vulnerability Scoring System score and associated severity level, with two scoring versions:

    • CVSS 2.0 - Available when using the API, the Google Cloud CLI, and the GUI.
    • CVSS 3.1 - Available when using the API and the gcloud CLI.

For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. You can decide the vulnerability score relevant for your project.

What's next