Article

In the Java ecosystem, where projects can easily pull in hundreds of third-party dependencies from Maven Central, managing open-source security is a monumental task. A single vulnerable library, like a legacy version of log4j-core or commons-collections, can compromise your entire application. WhiteSource Bolt (now known as Mend Bolt) is a powerful, developer-friendly tool that brings automated open-source security scanning directly into your development workflow, making vulnerability detection a natural part of your coding process.

What is WhiteSource (Mend) Bolt?

Mend Bolt is a free, lightweight tool designed to find and fix open-source vulnerabilities in your projects. It seamlessly integrates into your GitHub or Azure DevOps repositories, providing immediate visibility into security risks in your dependencies without complex configuration or context switching.

For Java developers, it scans your pom.xml or build.gradle file, resolves the entire dependency tree (including transitive dependencies), and checks it against a comprehensive vulnerability database.

Why Mend Bolt is a Game-Changer for Java Teams

1. Zero-Friction Onboarding: As a free tool that integrates directly with your GitHub or Azure DevOps account, there's no setup cost or complex installation. It starts providing value almost instantly.
2. Focus on Transitive Dependencies: The biggest threat often lies not in your direct dependencies, but in the libraries they depend on. Mend Bolt recursively analyzes your entire dependency graph, uncovering hidden risks you might not even be aware of.
3. Pull Request Prevention: This is its most powerful feature. Mend Bolt automatically scans every Pull Request (PR) and will flag—or even block—the merge if it introduces a new vulnerability. This "shifts left" security to the earliest possible point.
4. Actionable Remediation: It doesn't just tell you what is vulnerable; it tells you how to fix it, often by simply recommending an upgrade to a patched version.

How Mend Bolt Works in a Java Project

The process is automated and integrated directly into your existing workflow:

1. Automated Scanning on Commits and PRs
Whenever you push code or create a pull request, Mend Bolt automatically triggers a scan of your project's dependency manifest files.

• For Maven, it scans the pom.xml.
• For Gradle, it scans the build.gradle or build.gradle.kts.

2. Dependency Resolution and CVE Matching
The tool resolves all dependencies listed in your build file, including their transitive dependencies. It then compares the full list of artifacts (e.g., org.springframework:spring-core:5.3.18) and their versions against its continuously updated vulnerability database.

3. Reporting and Enforcement

• In-Line Comments: If a PR introduces a vulnerable dependency, Mend Bolt will comment directly on the PR, highlighting the specific library and version.
• Status Checks: It can be configured to set a status check on the PR. If this check fails, it can block the merge, enforcing security policy automatically.

A Practical Example: Catching a Vulnerability in a PR

Imagine a developer submits a PR to add a new feature. They've added a new dependency that, in turn, pulls in an old version of commons-text with a known vulnerability.

1. The Pull Request:

// The developer's new code might look fine...
public class TextProcessor {
public String process(String input) {
// Some logic that uses a new library
}
}

…but their pom.xml change includes:

<dependency>
<groupId>com.some.library</groupId>
<artifactId>new-feature-lib</artifactId>
<version>1.2.0</version>
</dependency>

2. The Mend Bolt Comment:
Mend Bolt will automatically post a comment on the PR that looks like:

⚠️ Mend Bolt Security Check Failed

Found in: pom.xml

Introduced by: com.some.library:new-feature-lib:1.2.0

3. The Fix:
The developer now has a clear path to resolution. They can either:

• Find an alternative library that doesn't have the vulnerable transitive dependency.
• See if new-feature-lib has a newer version that depends on a patched commons-text.
• Use a Maven dependencyManagement section to force the version of commons-text to the fixed version.

Best Practices for Java Teams Using Mend Bolt

1. Enable for All Repositories: Turn on Mend Bolt across your entire organization's GitHub or Azure DevOps account to ensure no Java project is left unscanned.
2. Require Passing Status Checks: In your repository settings, configure branch protection rules to require the "Mend Bolt" status check to pass before a PR can be merged. This makes security non-negotiable.
3. Prioritize by Severity: Focus on fixing Critical and High severity vulnerabilities first. Mend Bolt's reporting makes this prioritization clear.
4. Use Dependency Management for Overrides: When a direct fix isn't available, use Maven's dependencyManagement or Gradle's resolutionStrategy to force a specific, secure version of a transitive dependency. Maven Example: <dependencyManagement> <dependencies> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-text</artifactId> <version>1.10.0</version> <!-- Force the fixed version --> </dependency> </dependencies> </dependencyManagement> Gradle Example: configurations.all { resolutionStrategy.force 'org.apache.commons:commons-text:1.10.0' }
5. Combine with SAST Tools: While Mend Bolt excels at open-source security (SCA), it should be part of a broader security strategy that includes Static Application Security Testing (SAST) tools like Checkmarx or SonarQube to find vulnerabilities in your custom code.

Conclusion

For Java development teams, Mend Bolt is an essential first line of defense in the ongoing battle to secure the software supply chain. By integrating seamlessly and automatically into the pull request process, it empowers developers to take ownership of security, catch vulnerabilities at the source, and remediate them before they ever enter the codebase. In a world where the next major open-source vulnerability is always around the corner, having Mend Bolt as a silent, vigilant partner in every repository is no longer a luxury—it's a necessity for building secure Java applications.