Safeguard
Tag

java

Safeguard articles tagged "java" — guides, analysis, and best practices for software supply chain and application security.

70 articles

Open Source Security

Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal

Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.

May 15, 20267 min read
Vulnerability Management

Apache Tomcat CVE-2025-24813: a deserialization deep dive

Tomcat's partial-PUT deserialization RCE turned a session persistence feature into a remote code execution path, and the pattern is one Java middleware keeps repeating.

May 13, 20267 min read
Tools

Semgrep Supply Chain: April 2026 Update Reviewed

Semgrep's April 2026 release added dedicated advisory pages, dependency path data in SBOM exports, a Guardian Supply Chain hook, and Maven/Gradle scanning without lockfiles.

May 2, 20267 min read
Application Security

Reachability Analysis for Java: A 2026 Deep Dive

Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.

Mar 4, 20266 min read
Open Source Security

Maven Central Sigstore Migration Status

Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.

Feb 12, 20267 min read
Supply Chain Attacks

Maven Central Malicious Publishing Trends 2025

Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.

Feb 10, 20266 min read
Vulnerability Analysis

Spring4Shell Retrospective: What CVE-2022-22965 Actually Cost the Industry

Spring4Shell was hyped as the next Log4Shell and turned out to be neither as broad nor as harmless as the early coverage suggested. A 2026 look back at the real numbers.

Jan 22, 20265 min read
Vulnerability Analysis

Log4Shell Five Years Later: What CVE-2021-44228 Taught Us About Transitive Risk

Five years after Log4Shell, the technical details still matter, but the lasting lessons are about transitive dependencies, SBOM accuracy, and the long tail of unpatched internal tooling.

Jan 9, 20265 min read
Vulnerability Analysis

Apache Ant 'Get' Task Certificate Validation Failure (CVE...

CVE-2020-1945 exposes insecure temp-file handling in Apache Ant, risking data leaks and build-tampering. Affected versions, CVSS/EPSS context, and fixes inside.

Nov 28, 20257 min read
Vulnerability Analysis

CVE-2018-1199: Authorization bypass in Spring Security CO...

CVE-2018-1199 let CORS pre-flight requests slip past Spring Security's authorization checks. What it affected, its real severity, and how to remediate it.

Sep 21, 20257 min read
Engineering

Java Supply Chain Security Beyond Log4Shell

Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.

Aug 21, 20256 min read
AppSec

Eclipse Jetty Vulnerabilities: What to Patch and When

Jetty's HTTP/2 handling and older 9.4.x branches have carried real denial-of-service and information-disclosure CVEs — here's what a jetty 9.4.41 exploit actually looks like and which versions close it.

Mar 18, 20256 min read
java (Page 4) — Safeguard Blog