PEN Consultants Logo
Don’t Be a Victim: Find your weaknesses before the criminals do. PEN Consultants can help!

Finding Vulns in JARs with Spotbugs

How to find security vulnerabilities in JARs with SpotBugs…

[Note: burpsuite is just being used as an example]

Spotbugs is awesome.  But, the instructions for compiling it and running as a standalone app were not that clear to me.  Because of this, I decided to put together the rather simple steps below.


Decompile the JAR being analyzed using JD/JD-GUI (or similar).  Google it, if needed.  There’s a lot of info out there.

Compiling Spotbugs

In Debian/Ubuntu:

cd spotbugs-release-3.1
./gradlew spotbugs:build
cp spotbugs/build/distributions/spotbugs-3.1.7-SNAPSHOT.tgz ../.
cd ..
tar -xvzf spotbugs-3.1.7-SNAPSHOT.tgz

Running Spotbugs

java -jar spotbugs-3.1.7-SNAPSHOT/lib/spotbugs.jar
  1. File > New Project
  2. Classpath: [path]/file.jar
  3. Aux Classpath: add all .jar resources (if needed) for the JAR being analyzed
  4. Source directories: Folder of decompiled source code…should contain (for example) com, META-INF, etc.
  5. “OK”
Screenshot from 2018 09 10 19 38 24 300x251 1 | PEN Consultants

Finding Vulnerabilities

After the above finishes processing, you’ll be presented with a list of possible vulnerabilities (under security) as well as best practice-type findings.  I’ve found that there is a high false-positive rate, in terms of exploitable findings. Spotbugs appears to just be performing simple string/regex comparison but does not (due to complexity) actually walk back up the logical flow to determine if a certain finding is actually exploitable.  That will be your part :-).

Have fun!

Screenshot from 2018 09 10 19 43 57 | PEN Consultants

Original Source:

If you are looking for a reliable and experienced offensive security service that provides Rock Solid Security, look no further than PEN Consultants for all your information and cybersecurity testing needs. Contact us: