java
Safeguard articles tagged "java" — guides, analysis, and best practices for software supply chain and application security.
70 articles
Maven Central's January 2025 Sigstore Validation Launch: Bringing Java Provenance to the Central Publisher Portal
Sonatype's Central Publisher Portal began validating Sigstore signature bundles in January 2025 alongside the existing PGP requirement. Here is the defender view of how the Java ecosystem's provenance story is finally catching up.
Apache Tomcat CVE-2025-24813: a deserialization deep dive
Tomcat's partial-PUT deserialization RCE turned a session persistence feature into a remote code execution path, and the pattern is one Java middleware keeps repeating.
Semgrep Supply Chain: April 2026 Update Reviewed
Semgrep's April 2026 release added dedicated advisory pages, dependency path data in SBOM exports, a Guardian Supply Chain hook, and Maven/Gradle scanning without lockfiles.
Reachability Analysis for Java: A 2026 Deep Dive
Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.
Maven Central Sigstore Migration Status
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
Maven Central Malicious Publishing Trends 2025
Maven Central has historically been the quietest major registry for malware, but 2025 saw a measurable uptick in malicious artifacts and namespace abuse.
Spring4Shell Retrospective: What CVE-2022-22965 Actually Cost the Industry
Spring4Shell was hyped as the next Log4Shell and turned out to be neither as broad nor as harmless as the early coverage suggested. A 2026 look back at the real numbers.
Log4Shell Five Years Later: What CVE-2021-44228 Taught Us About Transitive Risk
Five years after Log4Shell, the technical details still matter, but the lasting lessons are about transitive dependencies, SBOM accuracy, and the long tail of unpatched internal tooling.
Apache Ant 'Get' Task Certificate Validation Failure (CVE...
CVE-2020-1945 exposes insecure temp-file handling in Apache Ant, risking data leaks and build-tampering. Affected versions, CVSS/EPSS context, and fixes inside.
CVE-2018-1199: Authorization bypass in Spring Security CO...
CVE-2018-1199 let CORS pre-flight requests slip past Spring Security's authorization checks. What it affected, its real severity, and how to remediate it.
Java Supply Chain Security Beyond Log4Shell
Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.
Eclipse Jetty Vulnerabilities: What to Patch and When
Jetty's HTTP/2 handling and older 9.4.x branches have carried real denial-of-service and information-disclosure CVEs — here's what a jetty 9.4.41 exploit actually looks like and which versions close it.