Nucleaus proudly released a new version of its code scanner to support Java for production tenants. We have had multiple product iterations and testing to make sure that this language release stays true to our ethos and product vision of keeping it simple, easy to use and understand, and effective.

Q. What did you roll out?

A.  Nucleaus rolled out a new, refined version of its code scanner to production tenants that provides coverage and support for Java.

Q. Does the scanner need compiled binaries to work?

A.  The java scanner we released does not need to scan binaries.

Q. Does this work with CI/CD as well?

A.  Yes. If your CI/CD pipeline commits the code to your git, you can kick off a scan using the Nucleaus CLI tool from your CI/CD script.

Q. What exactly does the java scanner scan?

A.  The scanner will scan the static java code in the repos for security vulnerabilities.  Code smells and non-security issues are excluded, as they may not be a true indication of a presence of a security vulnerability.

Q. Does it scan external project dependencies as well?

A. The current version of the scanner only scans the code present in the repos. Our scanner does not compile your code, so there is no routine to dynamically download the dependencies. But, if the dependency code is copied as static source code into the project, it will get picked up in the scan.

Q. Why am I seeing increased/different vulnerability counts in my other repos?

A.  With the infosec landscape constantly changing and adjusting to new threats, the Nucleaus scanner was upgraded to increase coverage of issue detection, with the release of updated CVEs and CWEs.

Please feel free to reach out to the sales team and or tech team with any questions. 

Happy Scanning!

The Product Team

Nucleaus