SCA Goat
Navigating SCA Vulnerabilities, Empowering Mastery
SCAGoat is an application for Software Composition Analysis (SCA) that focuses on vulnerable and compromised JAR dependencies used in development code, providing users with hands-on learning opportunities to understand potential attack scenarios. It is designed to identify vulnerabilities that may arise from using vulnerable JAR files.
The CVEs covered under SCAGoat are primarily critical and high severity, which have a CVSS score of 9. This aid in understanding the vulnerable package being used and its potential for exploitation.
In addition, there is one compromised package, that lacks a CVE, but is malicious by nature and cannot be detected with traditional SCA scanners.
CVE | Package Name | Link |
---|---|---|
CVE-2023-42282 | IP | https://nvd.nist.gov/vuln/detail/CVE-2023-42282 |
CVE-2017-1000427 | Marked | https://nvd.nist.gov/vuln/detail/CVE-2017-1000427 |
CVE-2017-16114 | Marked | https://github.com/markedjs/marked/issues/926 |
CVE-2021-44228 | log4j | https://nvd.nist.gov/vuln/detail/CVE-2021-44228 |
CVE-2020-9547 | jackson-databind | https://nvd.nist.gov/vuln/detail/CVE-2020-9547 |
CVE-2021-33623 | trim-newlines | https://nvd.nist.gov/vuln/detail/CVE-2021-33623 |
CVE-2020-13935 | spring-websocket | https://nvd.nist.gov/vuln/detail/CVE-2020-13935 |
Malicious Package (No CVE) | xz-java | https://central.sonatype.com/artifact/io.github.xz-java/xz-java |
Step 1. Clone the application
git clone https://github.com/harekrishnarai/Damn-vulnerable-sca.git
Step 2. Go to the Directory
cd Damn-vulnerable-sca
Step 3. Use the following docker commands to build the image for the dockerfile and run the image to access the application:
docker compose up
Step 4. Visit http://localhost:3000/ to access the nodejs application and http://localhost:8080 for Springboot for log4j
Our aim is to provide you with a better understanding of vulnerable packages and JAR dependencies so that you can gain hands-on experience. We will keep you updated with the latest CVEs. Stay tuned!
Demo Videos | CVE Exploited |
---|---|
Demo 1 | CVE-2023-42282 |
Demo 2 | CVE-2017-16114 |
Demo 3 | CVE-2021-44228 |
Demo 4 | CVE-2020-9547 |
Demo 5 | XZ-JAVA compromised |
Awesome! The most basic way to show your support is to star the project or raise issues.
Thanks to all the people who already contributed!
Prashant Venkatesh
Nandan Gupta
Hare Krishna Rai
Henrik Plate
Gaurav Joshi
Yoad Fekete