BestHub
Sign in
Backend Development 20 min read

Spring Boot Online Dependency Vulnerability Scanner: One‑Click Detection of Potential Security Issues

This guide presents a lightweight Spring Boot dependency vulnerability scanner that automatically collects all project JARs, matches them against a CVE database, visualizes risk levels, provides detailed remediation steps and can be integrated into local development, emergency response, and CI/CD pipelines.

Java Companion
Java Companion
Java Companion
Spring Boot Online Dependency Vulnerability Scanner: One‑Click Detection of Potential Security Issues

Problem

Typical Spring Boot applications contain 100+ third‑party JARs (e.g., spring-boot-starter, MyBatis, Log4j). Developers often use vulnerable versions without realizing it, and vulnerability information is scattered across CVE notices, NVD, and GitHub issues.

Existing solutions

OWASP Dependency‑Check : feature‑rich but heavyweight and lacks Chinese documentation.

Snyk / WhiteSource : commercial products; some capabilities require a paid plan.

Manual audit : error‑prone and inefficient.

Proposed solution

A lightweight, plug‑in‑ready Spring Boot dependency‑vulnerability scanner that automatically collects all JARs, matches them against an online vulnerability database, and presents CVE details, severity, safe version ranges and reference links in a sortable table.

System design

Dependency collector : extracts groupId, artifactId and version from every JAR on the classpath.

Online vulnerability scanner : queries an external vulnerability service using the groupId/artifactId/version triple.

Vulnerability matcher : determines whether a version falls inside a vulnerable range.

Result presentation layer : Spring Boot REST API returns JSON; a front‑end page renders the data.

Key implementation

Vulnerability data structure

public class Vulnerability {
    private String cve;
    private String description;
    private String severity;
    private String vulnerableVersions;
    private String safeVersion;
    private String reference;

    public boolean isVersionVulnerable(String version) {
        // Maven ArtifactVersion can be used for range matching
        return VersionRangeChecker.isVulnerable(version, vulnerableVersions);
    }
}

Example entry in the local JSON database:

[
  {
    "groupId": "org.apache.logging.log4j",
    "artifactId": "log4j-core",
    "vulnerableVersions": "<=2.14.1",
    "safeVersion": "2.15.0+",
    "cve": "CVE-2021-44228",
    "description": "Log4j 2 JNDI remote code execution vulnerability.",
    "severity": "Critical",
    "reference": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
  }
]

Scanning endpoint

@GetMapping("/dependencies/scan")
public ResponseEntity<Map<String, Object>> scanDependencies() {
    logger.info("开始执行依赖扫描...");
    long startTime = System.currentTimeMillis();

    List<DependencyInfo> dependencies = dependencyCollector.collect();
    logger.info("收集到 {} 个依赖", dependencies.size());

    List<DependencyRisk> risks = vulnerabilityMatcher.matchVulnerabilities(dependencies);
    risks = vulnerabilityMatcher.sortByRiskLevel(risks);
    VulnerabilityMatcher.RiskStatistics statistics = vulnerabilityMatcher.getRiskStatistics(risks);

    long duration = System.currentTimeMillis() - startTime;
    logger.info("依赖扫描完成,耗时 {} ms,{}", duration, statistics);

    Map<String, Object> response = new HashMap<>();
    response.put("success", true);
    response.put("message", "扫描完成");
    response.put("data", risks);
    // statistics omitted for brevity
    return ResponseEntity.ok(response);
}

Sample JSON response

[
  {
    "groupId": "org.apache.logging.log4j",
    "artifactId": "log4j-core",
    "version": "2.14.1",
    "riskLevel": "Critical",
    "cve": "CVE-2021-44228",
    "description": "Log4j JNDI injection can lead to remote code execution.",
    "safeVersion": "2.15.0+",
    "reference": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
  }
]

Front‑end visualization

The UI displays a table with columns for Dependency, Version, Risk, CVE, Safe Version and Actions. Filters allow users to show only Critical, High, Medium or Low risks. Clicking a row opens a modal that shows detailed description, affected versions, recommended Maven/Gradle upgrade commands and official reference links.

Practical scenarios

Local development self‑check : run the scanner during debugging to catch vulnerable libraries early.

Emergency response : when a new vulnerability (e.g., Log4Shell) is disclosed, quickly scan the project to locate affected modules and the required upgrade version.

CI/CD integration : invoke /dependencies/scan in the build pipeline; fail the build if a Critical vulnerability is found and display the safe version to upgrade to.

Repository

https://github.com/yuboon/java-examples/tree/master/dependency-scanner
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaCI/CDSpring BootVulnerability ManagementsecurityREST APICVEDependency Scanning
Java Companion
Written by

Java Companion

A highly professional Java public account

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment