SPARTA Vulnerabilities scanners

Vulnerabilities scanners for Ubuntu OS and Java Maven projects

Scanners have been developed for Sparta - European Union's Horizon 2020 research and innovation programme under grant agreement No 830892.

Ubuntu OS scanner

Scan your Ubuntu OS installation for vulnerabilities

A web application that provides an API to check which installed Ubuntu packages are vulnerable.
The scanner has different scan levels to choose from. A higher scan level makes it possible to find not only packages that contain known vulnerabilities, but also those that are potentially vulnerable. Additionally, the application returns information about severity of vulnerability, mitigation, related USN and CVE. The output is in a JSON format.
Example request:

curl -X 'POST' 'https://www.sparta-variotscan.pl/api/ubuntu/scan/?release=bionic&a=1&v=1&all=true' -F 'file=@installed_packages.txt'

Obligatory arguments:
  • release(string) - name of the Ubuntu release
  • installed_packages(file) - file with names of installed packages created with 'dpkg -l' command
Optional arguments:
  • a(int):[0:2] - aggressiveness, defines the depth of a scan
  • v(int):[0:2] - verbosity, defines the amount of information in the output
  • u(bool) - defines if additional data from USNs should be included
  • c(bool) - defines if additional data from CVEs should be included
  • all(bool) - defines if additional data from USNs and CVEs should be included; You cannot use both all and u or c at the same time

Maven Vulnerability Analyzer

Analyze your maven projects for vulnerabilities

A web application that provides an API to check which packages in a maven project are vulnerable.
The main aim of the Maven Vulnerability Analyzer is to provide information about potential vulnerabilities related to all packages used to create a maven project. On the basis of the list of packages used in the Java project (generated automatically as so called maven dependency tree), the tool is able to find information about vulnerabilities in a remote database, match them with packages used in the maven project and return results to a user. Then the user could take relevant actions, such as update of packages or other types of hardening to remove vulnerabilities and increase security level of the project. The output is in a JSON format.

The following example will return results for maven dependency tree stored in the file: /home/sparta/maven-dt.txt, the level of aggressiveness was set to 0, and verbose option to False:

curl -i -X POST -F "maven=@/home/sparta/maven-dt.txt" -F 'args={"aggressive":0,"verbose":false};type=application/json' https://www.sparta-variotscan.pl/api/mva

Obligatory arguments:
  • args(json) - additional arguments in JSON format
  • maven(file) - file which contain the maven dependency tree
Possible arguments in args attribute are the following:
  • verbose(bool) - if True, every information about a vulnerability is included in the results
  • aggressive(int):[0:3] - the level of aggressiveness of search, value higher than default (0) will result in more False Positives
  • field_list(list of strings) - used to provide names of fields from the database of vulnerabilities, which will be used to provide information about vulnerabilities in the results