feraldeps-core is an open-source, local dependency and vulnerability scanner specifically designed for Java projects. It provides streamlined functionality through a desktop GUI, ensuring that the scanning and reporting processes occur locally while still allowing for updates on the latest versions and vulnerabilities via secure HTTP requests to public APIs. Supported external resources include Maven Central, OSV (Open Source Vulnerabilities), and various CVSS providers such as OSS Index, NVD, and GitHub.

Key Features

• Local Scanning: Effortlessly scans local Gradle and Maven projects to identify declared dependencies.
• Vulnerability Detection: Quickly detects outdated dependencies and known vulnerabilities, aiding developers in maintaining secure codebases.
• Report Generation: Produces detailed reports in both HTML and CSV formats, making it easy to analyze results and share insights with teams.
• User-Friendly Interface: Employs a simple GUI that facilitates manual checks for updates, ensuring users have the latest information at their fingertips.

Future Enhancements

• Implementation of transitive-dependency analysis to enhance scanning capabilities (currently limited to first-level dependencies).
• Plans for supporting additional programming ecosystems, including Python and JavaScript.
• Improvements aimed at offline functionality and better integration with continuous integration processes.

Privacy and Security

feraldeps-core prioritizes user privacy. The tool scans local project files to evaluate dependency statuses without logging or transmitting user data or project metadata. It contacts external APIs for updated information only, and all sensitive API credentials remain stored locally, enhancing security during operations.

Configuration Options

The application provides a Settings tab within the GUI for configuring optional API credentials:

• OSS Index credentials for enhanced access to CVSS services.
• GitHub token for querying GitHub's vulnerability database for CVSS scores.
  Without these configurations, the tool defaults to public API sources for CVSS data.

Quick Start Guide

1. Launch the application:

   java -jar /path/to/feraldeps-0.1.1.jar
   

2. Select a Gradle or Maven project folder and hit Scan to initiate the process.
3. Upon completion, review the generated report, with options available for HTML exports.

Visual Overview

Main application window.

Generated report summary view.

Visual representation of vulnerability severity scores.

feraldeps-core serves as a valuable tool for Java developers, enabling immediate analysis of project dependencies and associated vulnerabilities while ensuring security and privacy.