netshield-analyzer

NetShield

Reachability-based vulnerability analysis for Java applications

NetShield determines whether vulnerabilities in your dependencies are actually exploitable by analyzing bytecode call graphs. It answers one question: Can this CVE be triggered by my application code?

Quick Start

Installation

From Source:

git clone https://github.com/Netshield-Enterprise/netshield-analyzer.git
cd netshield-analyzer
go build -o netshield-analyzer ./cmd/analyzer

Using Go Install:

go install github.com/Netshield-Enterprise/netshield-analyzer/cmd/analyzer@latest

From Release (Recommended):

# Linux AMD64
curl -LO https://github.com/Netshield-Enterprise/netshield-analyzer/releases/latest/download/netshield-analyzer-linux-amd64
chmod +x netshield-analyzer-linux-amd64
sudo mv netshield-analyzer-linux-amd64 /usr/local/bin/netshield-analyzer

# macOS Apple Silicon
curl -LO https://github.com/Netshield-Enterprise/netshield-analyzer/releases/latest/download/netshield-analyzer-darwin-arm64
chmod +x netshield-analyzer-darwin-arm64
sudo mv netshield-analyzer-darwin-arm64 /usr/local/bin/netshield-analyzer

# Windows: Download netshield-analyzer-windows-amd64.exe and add to PATH

Basic Usage

# Analyze a Maven project
cd /path/to/your/maven/project
netshield-analyzer --packages com.yourcompany

# CI/CD mode (minimal output, proper exit codes)
netshield-analyzer --packages com.yourcompany --format core

# JSON output for tooling
netshield-analyzer --packages com.yourcompany --format json

What Problem This Solves

Most vulnerability scanners report every CVE in your dependency tree, regardless of whether your code can reach the vulnerable methods. This creates:

• Alert fatigue: Security teams drowning in non-exploitable findings
• Prioritization paralysis: No clear signal on what to fix first
• Wasted engineering time: Patching vulnerabilities that pose no real risk

NetShield performs static reachability analysis to classify vulnerabilities as:

• Reachable: Vulnerable code is called by your application (fix immediately)
• Unreachable: Vulnerable code exists but cannot be triggered (deprioritize)
• Unknown: Analysis incomplete (manual review recommended)

CI/CD Integration

NetShield is designed for CI/CD pipelines with proper exit codes:

GitHub Actions

- name: Security Gate
  run: netshield-analyzer --packages com.yourcompany --format core

GitLab CI

netshield:
  script:
    - netshield-analyzer --packages com.yourcompany --format core

Jenkins

sh 'netshield-analyzer --packages com.yourcompany --format core'

Output Formats

Core (CI/CD Optimized)

Minimal output, clear decision, proper exit codes.

netshield-analyzer --packages com.example --format core

Executive (Default)

Decision + intelligence + supply chain scoring.

netshield-analyzer --packages com.example

Debug

Full technical analysis with call graphs.

netshield-analyzer --packages com.example --format debug

JSON

Machine-readable for tooling integration.

netshield-analyzer --packages com.example --format json

Example Output

════════════════════════════════════════════════════════════════
                   NetShield Release Analysis
════════════════════════════════════════════════════════════════

EXECUTIVE SUMMARY
────────────────────────────────────────────────────────────────
1 vulnerability exists in dependencies but cannot be triggered by application code.
No exploitable security risk exists in this release.

RELEASE STATUS
✓ SAFE TO SHIP

RELEASE CONFIDENCE
High confidence this release introduces no exploitable security risk.

BUSINESS RISK
────────────────────────────────────────────────────────────────
Exploit Risk         NONE
Production Exposure  NONE
Patch Urgency        LOW (maintenance window)
Engineering Impact   None

SUPPLY CHAIN TRUST SCORE
────────────────────────────────────────────────────────────────
96 / 100  (Excellent)

SECURITY EVIDENCE
────────────────────────────────────────────────────────────────
1 critical vulnerability detected but unreachable from execution paths.

CVE: GHSA-mjmj-j48q-9wg2
Package: org.yaml:snakeyaml
Severity: CRITICAL
Reachability: UNREACHABLE

How It Works

1. Dependency Resolution: Parses pom.xml and resolves transitive dependencies
2. JAR Extraction: Downloads and extracts bytecode from Maven Central
3. Call Graph Construction: Builds method-level call graphs using bytecode analysis
4. CVE Lookup: Queries OSV API for known vulnerabilities
5. Reachability Analysis: Determines if application code paths reach vulnerable methods
6. Risk Classification: Categorizes findings as Reachable, Unreachable, or Unknown

Limitations

1. Reflection: Methods invoked via reflection are marked as Unknown
2. Dynamic Loading: Dynamically loaded classes may not be analyzed
3. Build Tool: Currently supports Maven only (Gradle support planned)
4. Language: Java bytecode only (Kotlin/Scala supported if compiled to JVM)
5. Accuracy: Call graph construction is best-effort; complex frameworks may reduce precision

Performance

Roadmap

• Gradle support
• SARIF output format for GitHub Security
• Improved reflection analysis
• Historical trend tracking
• GitHub PR comment integration
• Custom policy enforcement (SOC2, PCI-DSS)

Creating Releases

# Tag a version
git tag -a v0.1.0 -m "Release v0.1.0"
git push origin v0.1.0

# GitHub Actions automatically builds binaries for:
# - Linux (amd64, arm64)
# - macOS (Intel, Apple Silicon)
# - Windows (amd64)

See CHANGELOG.md for version history.

License

NetShield is dual-licensed:

• AGPL-3.0: Free for open source projects (LICENSE-AGPL)
• Commercial: For proprietary use (LICENSE-COMMERCIAL)

For commercial licensing: licensing@net-shield.net

Security Disclosure

To report security vulnerabilities in NetShield itself: security@net-shield.net

Do not open public issues for security concerns.