Article

Modern Java development is built on a foundation of open-source components. A typical Spring Boot application can easily rely on over 100 external libraries from Maven Central. While this accelerates development, it also introduces significant risk if those dependencies contain known security vulnerabilities. Mend Bolt (formerly WhiteSource Bolt) is a developer-first tool designed to tackle this very problem by scanning your project's open-source dependencies and flagging vulnerabilities directly in your workflow.

What is Mend Bolt?

Mend Bolt is a free Software Composition Analysis (SCA) tool that integrates directly into your development environment. Its primary purpose is to find and report on vulnerable open-source libraries in your project.

For Java developers, it seamlessly connects to platforms like:

• GitHub (as a GitHub Action or a native GitHub integration)
• Azure DevOps
• GitLab

When you open a Pull Request (PR), Bolt automatically scans your pom.xml or build.gradle file, checks the declared dependencies against a vulnerability database, and posts the results as a comment right in the PR. This provides immediate, actionable feedback exactly when it's most valuable—before the code is merged.

Why is SCA Critical for Java Projects?

The Java ecosystem is one of the largest and most mature in the open-source world. However, this also makes it a prime target for security researchers and malicious actors. Common issues include:

• Vulnerable Logging Libraries: Like Log4Shell (CVE-2021-44228) in log4j-core.
• Serialization Vulnerabilities: In libraries like Jackson or XStream.
• Security Bypasses: In web frameworks like Spring Framework or Struts.
• Outdated and Unsupported Libraries: Using an old version of a library that no longer receives security patches.

Mend Bolt addresses this by continuously monitoring your dependencies against its constantly updated vulnerability database, which draws from sources like the NVD (National Vulnerability Database) and security advisories.

How It Works in Your Java Development Workflow

The integration is designed to be frictionless and fit directly into a modern DevOps pipeline.

1. Development: A developer works on a feature or bug fix in a branch and updates their pom.xml to add a new dependency or updates an existing one.
2. Pull Request: The developer pushes their branch and opens a Pull Request to merge into the main branch.
3. Automatic Scan:
   • GitHub: The Mend Bolt GitHub Action (or integration) is triggered automatically. It reads the pom.xml/build.gradle, resolves the dependency tree, and identifies all direct and transitive (nested) dependencies.
   • Azure DevOps: A Bolt build task performs the same scan during the PR build.
4. Reporting: The scan results are posted as a detailed comment on the PR. This report will clearly show:
   • Which library is vulnerable (e.g., commons-collections 3.2.1).
   • The specific vulnerability (e.g., CVE-2015-6420).
   • Severity level (Critical, High, Medium, Low).
   • A link to the CVE for more details.
   • Remediation advice, often suggesting the minimum safe version to upgrade to.
5. Action: The developer and reviewer can see the security risk at a glance and block the merge until the issue is fixed.

A Practical Java Example

Imagine you are adding a new feature that uses a popular XML library. You add the following to your pom.xml:

<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
<version>2.12.2</version>
</dependency>

When you open your PR, Mend Bolt might comment with a failure:

❌ Mend Bolt found 1 vulnerability

Severity	Vulnerability	Library	Version	Type
🔴 Critical	CVE-2021-xxxxx	jackson-dataformat-xml	2.12.2	Direct

Remediation: Upgrade jackson-dataformat-xml to version 2.12.5 or higher.

This immediate feedback prevents a vulnerable library from ever entering your codebase.

Best Practices for Java Developers Using Mend Bolt

• Don't Ignore Transitive Vulnerabilities: A vulnerability might be in a library that your direct dependency pulls in, not in the direct dependency itself. Bolt finds these. Use mvn dependency:tree to understand your dependency graph.
• Use the PR Status Check: Configure your repository to require a "pass" from Mend Bolt before a PR can be merged. This creates an enforceable security gate.
• Prioritize by Severity: Focus on fixing "Critical" and "High" severity vulnerabilities first. Don't let a long list of "Lows" cause alert fatigue.
• Leverage the Fix Recommendation: The tool's suggestion to upgrade to a specific version is the fastest path to remediation. Always test the upgrade to ensure it doesn't break your application.
• Run Locally (Optional): Mend offers a CLI version that you can run locally before pushing your code, allowing you to find and fix issues even earlier.

Bolt vs. Full Mend (WhiteSource) Platform

It's important to note that Mend Bolt is the free, entry-level offering. The full Mend (formerly WhiteSource) platform offers more advanced features that are crucial for larger enterprises, such as:

• Policy Management: Creating and enforcing security policies across all projects.
• Advanced Reporting: Dashboards and compliance reports (e.g., for SOC2, PCI-DSS).
• Remediation Prioritization: More sophisticated risk scoring.
• License Compliance: Scanning for open-source license conflicts, which Bolt does not do.

Conclusion

For any Java team relying on open-source software, Mend Bolt is an essential and effortless first step towards a mature AppSec program. By putting vulnerability findings directly in the developer's workflow, it educates developers, prevents known vulnerabilities from entering the codebase, and fosters a culture of shared responsibility for security. It’s a powerful, free tool that every Java developer should be using.

Secure Java Dependency Management, Vulnerability Scanning & Software Supply Chain Protection (SBOM, SCA, CI Security & License Compliance)

https://macronepal.com/blog/github-code-scanning-in-java-complete-guide/
Explains GitHub Code Scanning for Java using tools like CodeQL to automatically analyze source code and detect security vulnerabilities directly inside CI/CD pipelines before deployment.

https://macronepal.com/blog/license-compliance-in-java-comprehensive-guide/
Explains software license compliance in Java projects, ensuring dependencies follow legal requirements (MIT, Apache, GPL, etc.) and preventing license violations in enterprise software.

https://macronepal.com/blog/container-security-for-java-uncovering-vulnerabilities-with-grype/
Explains using Grype to scan Java container images and filesystems for known CVEs in OS packages and application dependencies to improve container security.

https://macronepal.com/blog/syft-sbom-generation-in-java-comprehensive-software-bill-of-materials-for-jvm-applications/
Explains using Syft to generate SBOMs (Software Bill of Materials) for Java applications, listing all dependencies, libraries, and components for supply chain transparency.

https://macronepal.com/blog/comprehensive-dependency-analysis-generating-and-scanning-sboms-with-trivy-for-java/
Explains using Trivy to generate SBOMs and scan Java dependencies and container images for vulnerabilities, integrating security checks into CI/CD pipelines.

https://macronepal.com/blog/dependabot-for-java-in-java/
Explains GitHub Dependabot for Java projects, which automatically detects vulnerable dependencies and creates pull requests to update them securely.

https://macronepal.com/blog/parasoft-jtest-in-java-comprehensive-guide-to-code-analysis-and-testing/
Explains Parasoft Jtest, a static analysis and testing tool for Java that helps detect bugs, security issues, and code quality problems early in development.

https://macronepal.com/blog/snyk-open-source-in-java-comprehensive-dependency-vulnerability-management-2/
Explains Snyk Open Source for Java, which continuously scans dependencies for vulnerabilities and provides automated fix suggestions and monitoring.

https://macronepal.com/blog/owasp-dependency-check-in-java-complete-vulnerability-scanning-guide/
Explains OWASP Dependency-Check, which scans Java dependencies against the National Vulnerability Database (NVD) to detect known security vulnerabilities.

https://macronepal.com/blog/securing-your-dependencies-a-java-developers-guide-to-whitesource-mend-bolt/
Explains Mend (WhiteSource) Bolt for Java, a dependency management and SCA tool that provides vulnerability detection, license compliance, and security policy enforcement in enterprise environments.