B4J Scanner (SBOM + Vulnerability Scanner)

tchart · Apr 29, 2026

I am getting increased scrutiny for some of my enterprise apps based on possible library and supply chain vulnerabilities.

I've used Snyk, Akido and Beagle but they dont really understand how B4J works so I get mixed results.

Anyway, I've built my own scanner (B4J Scanner) that resolves dependencies for a B4J project (based on libraries used, their dependencies and also class paths). It created a software bill of materials (SBOM) and uses OSV (https://osv.dev) to scan for vulnerable libraries.

Anyone interested in this?

Example scan below.

Sandman · Apr 30, 2026

I might be.

Jmu5667 · Apr 30, 2026

I am interested in this !

Dr_JU · May 4, 2026

This is gold!

tchart · May 4, 2026

The app and code are now on GitHub

GitHub - ope-nz/B4JScanner

Contribute to ope-nz/B4JScanner development by creating an account on GitHub.

github.com

Please read the readme. You you will need to download the osv executable from the link the the readme. Save it to the same directory as B4JScanner.exe.

Magma · May 4, 2026

hmmm interesting

Mariano Ismael Castro · May 4, 2026

Thank you for this great tool. Congratulations on your work.
By the way, I've discovered that jPOI uses the <commons-compress-1.20.jar> library, which contains 5 vulnerabilities. Version 1.28 is recommended.

Dr_JU · May 4, 2026

Mariano Ismael Castro said:
Thank you for this great tool. Congratulations on your work.
By the way, I've discovered that jPOI uses the <commons-compress-1.20.jar> library, which contains 5 vulnerabilities. Version 1.28 is recommended.

Okay, so this means that... a thorough vulnerability scan of the libraries used is needed.

But I'm referring to a full B4X scan.

Jmu5667 · May 5, 2026

Fantastic Work Trevor !

tchart · May 5, 2026

Dr_JU said:
Okay, so this means that... a thorough vulnerability scan of the libraries used is needed.

But I'm referring to a full B4X scan.

Do you mean for all the libraries used by b4x? So not just for a project?

Dr_JU · May 6, 2026

tchart said:
Do you mean for all the libraries used by b4x? So not just for a project?

Exactly, that will help more programmers (who, like you and me) have that special care when using libraries and dependencies.

Although I'm currently new to B4X and still in the tutorial stage... it doesn't take away from my experience in .NET and production software. I know very well the cost, tech-debt, and implications of using a third-party dependency || The use of libraries with CVEs.

As for me; I already see a post or forum section where dependencies with CVSs are listed, as well as whether they are patched or not, and also if there is/exists a way to mitigate it.

I still remember when I woke up and came across PostgreSQL CVE-2025-1094 and the way to exploit it; at that time we were using Supabase as a cloud service for certain projects.

tchart · May 11, 2026

B4J Scanner has been updated.

@hatzisn identified that the scanner was not processing b4xlib files (which I don't use). The scanner now includes these in the scanner.

The maven dependencies also now show how they are referenced; AJ = #AdditionalJar, B4X dep = Jar + "DependsOn" and b4xlib dep =bx4lib + "DependsOn"

IMPORTANT; During testing on XLUtils.b4xlib I found it references poi-ooxml-lite-5.0.0 but the jar I have has an incomplete manifest and the Maven url could not be determined. Not sure if I downloaded from the forum or somewhere else. To resolve this, if B4J Scanner fails to identify the jar it will attempt to query Maven (via web request) using the SHA1 fingerprint. This is a last resort and can be disabled in the config file if you don't want to allow this.

prajinpraveen · May 11, 2026

Excellent work

prajinpraveen · May 11, 2026

just a small question. the jars are in the additional libraries folder.

tchart · May 11, 2026

prajinpraveen said:
just a small question. the jars are in the additional libraries folder.

Did you update the paths to the folders? If you used the included cfg file it is using my (non-standard) config

prajinpraveen · May 11, 2026

Yes i did. it does pick one jar file, but not all
[AJ] java-barcode-2.0.3 v2.0.3

tchart · May 15, 2026

B4J Scanner has been updated with improvements to the report. There is also a new library scan that will scan all of your libraries/additional libraries and report any vulnerable libraries.

tchart · May 15, 2026

prajinpraveen said:
Yes i did. it does pick one jar file, but not all
[AJ] java-barcode-2.0.3 v2.0.3

Not sure why it's not finding it. Likely something specific to your setup.

Can you post a screenshot of the file/folder (in Explorer) and also a screenshot of the additional jar statements in your project?

tchart · May 15, 2026

Library scan report;

Peter Simpson · May 24, 2026

Hiya,
Okay I will admit that this is an absolutely excellent tool which I'll definitely find useful, especially whilst developing enterprise solution. I'll download on Tuesday or Wednesday, and I'll give it a good going over.

tchart said:
Library scan report;

View attachment 171514

Thank again for this tool, it looks and sounds amazing

Peter...

B4J Scanner (SBOM + Vulnerability Scanner)

Well-Known Member

Expert

Well-Known Member

Member

Well-Known Member

Expert

Active Member

Member

Well-Known Member

Well-Known Member

Member

Well-Known Member

Active Member

Active Member

Well-Known Member

Active Member

Well-Known Member

Well-Known Member

Well-Known Member

Expert

Privacy & Transparency

Privacy & Transparency