Share
## https://sploitus.com/exploit?id=37E24A79-74D6-5F51-8E89-2170F66DCC70
# Java vulnerable scan POC

Minimal Maven project used to **compare container vulnerability scanners** (Docker Scout, Trivy, Snyk). It ships a **known vulnerable library** in the shaded JAR:

- `org.apache.commons:commons-text:1.9` โ€” affected by **CVE-2022-42889** (Text4Shell).

This is for **lab / training only**. Do not run in production.

## Local build

The Docker image copies the **prebuilt** shaded JAR from `target/`. Build the JAR first, then build the image.

```bash
mvn -ntp package -DskipTests
docker build -t java-vulnerable-scan-poc:local .
```

## Docker Scout (Docker Desktop / CLI)

After building the image:

```bash
docker scout quickview java-vulnerable-scan-poc:local
docker scout cves java-vulnerable-scan-poc:local
```

## Trivy (local)

```bash
trivy image --severity HIGH,CRITICAL java-vulnerable-scan-poc:local
```

## GitHub Actions

Workflow: `.github/workflows/ci.yml`

- Builds the image and runs **Trivy** (`aquasecurity/trivy-action@0.35.0`) with JSON + optional SARIF upload.
- **Snyk**: commented job template in the workflow โ€” add `SNYK_TOKEN` and uncomment to run in CI.

## Comparing tools

Use the **same image digest** when comparing:

```bash
docker inspect --format='{{index .RepoDigests 0}}' java-vulnerable-scan-poc:local
```

Download the **Trivy JSON artifact** from the workflow run and compare CVE IDs and severities to Scout and Snyk outputs.