Megatron-Java
Megatron-Java is a threat intelligence processing platform designed for Java security analysis. It aggregates vulnerability data, processes abuse/IP intelligence, analyzes BGP routing data, and tracks CVE/exploit availability with focus on Java deserialization vulnerabilities and Java-specific threats.
Installation
# Clone repository
git clone https://github.com/rojoworking/megatron-java
cd megatron-java
# Build with Maven
mvn clean install -DskipTests
# Download prebuilt JAR
wget https://github.com/rojoworking/megatron-java/releases/download/v2.1/megatron-java-all.jar
# Verify Java version
java -version # Requires Java 11+
# Run help
java -jar megatron-java-all.jar --helpBasic CVE Operations
| Command | Description |
|---|---|
search --cve CVE-ID | Search specific CVE |
list --recent | List recent CVEs |
analyze --jar FILE | Analyze JAR for vulnerabilities |
report --type TYPE | Generate report |
CVE Database Queries
# Search specific CVE
java -jar megatron-java-all.jar search --cve CVE-2021-44228
# Get detailed CVE information
java -jar megatron-java-all.jar cve --id CVE-2021-44228 --details
# Get CVSS score
java -jar megatron-java-all.jar cve --id CVE-2021-44228 --cvss
# List affected products
java -jar megatron-java-all.jar cve --id CVE-2021-44228 --affected-products
# Search by keyword
java -jar megatron-java-all.jar search --keyword "java deserialization"
# Search by Java version
java -jar megatron-java-all.jar search --java-version 8 --vulnerable
# Find exploitable Java versions
java -jar megatron-java-all.jar search --exploitable --java-version 11
# List critical Java CVEs
java -jar megatron-java-all.jar search --severity CRITICAL --type javaJava Vulnerability Analysis
# Analyze JAR for gadget chains
java -jar megatron-java-all.jar analyze --jar application.jar
# Detailed risk assessment
java -jar megatron-java-all.jar analyze --jar app.jar --risk-report
# List dangerous gadget libraries
java -jar megatron-java-all.jar list --dangerous-libs
# Check specific gadget library
java -jar megatron-java-all.jar check-lib --library commons-collections --version 3.2.1
# Identify all gadgets in JAR
java -jar megatron-java-all.jar analyze --jar app.jar --gadgets --list-all
# Generate SBOM with vulnerabilities
java -jar megatron-java-all.jar sbom --jar app.jar --include-vulnerabilities
# Dependency analysis
java -jar megatron-java-all.jar deps --jar app.jar --highlight-vulnerable
# Reachability analysis
java -jar megatron-java-all.jar analyze --jar app.jar --reachabilityGadget Chain Detection
# List dangerous gadget libraries
java -jar megatron-java-all.jar list --gadget-libs
# Known vulnerable chains:
# - CommonsCollections (all versions before 3.2.2)
# - Spring Framework (before 5.2.3)
# - ROME (all versions)
# - Groovy (all versions)
# - Snakeyaml (before 1.31)
# Check CommonsCollections
java -jar megatron-java-all.jar check-lib \
--library commons-collections \
--version 3.2.1
# Analyze spring-core for vulnerabilities
java -jar megatron-java-all.jar check-lib \
--library spring-core \
--version 5.2.0
# Generate gadget chain report
java -jar megatron-java-all.jar analyze --jar vulnerable.jar \
--gadget-chains \
--output gadget-report.jsonThreat Intelligence Feeds
# Update CVE database
java -jar megatron-java-all.jar update --type cve
# Update exploit database
java -jar megatron-java-all.jar update --type exploit
# Update all feeds
java -jar megatron-java-all.jar update --type all
# Check data freshness
java -jar megatron-java-all.jar status --data-age
# Add NVD feed
java -jar megatron-java-all.jar feed add --type nvd \
--url https://nvd.nist.gov
# Add GitHub advisory feed
java -jar megatron-java-all.jar feed add --type github \
--token YOUR_GITHUB_TOKEN
# Add custom feed
java -jar megatron-java-all.jar feed add --custom \
--url https://intel-feed.example.com/cves.json \
--format json
# List active feeds
java -jar megatron-java-all.jar feed list
# Remove feed
java -jar megatron-java-all.jar feed remove --type githubExploit Intelligence
# Find exploits for specific CVE
java -jar megatron-java-all.jar exploit search --cve CVE-2021-44228
# Check PoC availability
java -jar megatron-java-all.jar exploit --cve CVE-2021-44228 --has-poc
# Get Metasploit modules
java -jar megatron-java-all.jar exploit --cve CVE-2021-44228 --msf
# Search by exploit keyword
java -jar megatron-java-all.jar exploit search --keyword "rce java"
# Timeline of exploits
java -jar megatron-java-all.jar exploit timeline --cve CVE-2021-44228
# Exploits released in date range
java -jar megatron-java-all.jar exploit list \
--since 2021-01-01 \
--until 2021-12-31
# Compare CVE disclosure vs PoC release
java -jar megatron-java-all.jar exploit compare-timeline \
--output timeline.json
# Export exploit data
java -jar megatron-java-all.jar exploit list \
--format json \
--output exploits.jsonBatch Vulnerability Scanning
# Scan directory of JARs
java -jar megatron-java-all.jar scan --directory ./lib/
# Scan with detailed output
java -jar megatron-java-all.jar scan --directory ./lib/ \
--output vuln-report.html
# Generate SBOM for all JARs
java -jar megatron-java-all.jar scan --directory ./lib/ --sbom
# Sort by severity
java -jar megatron-java-all.jar scan --directory ./lib/ \
--sort-by-severity
# Export scan results
java -jar megatron-java-all.jar scan --directory ./lib/ \
--format json \
--output scan-results.json
# Parallel scanning
java -jar megatron-java-all.jar scan --directory ./lib/ \
--threads 8
# Detailed vulnerability scoring
java -jar megatron-java-all.jar scan --directory ./lib/ \
--scoring cvss3 \
--include-epssReport Generation
# HTML comprehensive report
java -jar megatron-java-all.jar report --type html \
--output security-report.html
# PDF report
java -jar megatron-java-all.jar report --type pdf \
--output security-report.pdf
# Executive summary
java -jar megatron-java-all.jar report --type summary \
--output executive-summary.txt
# Timeline report
java -jar megatron-java-all.jar report --type timeline \
--output vulnerability-timeline.json
# Compliance report (PCI-DSS)
java -jar megatron-java-all.jar compliance --type pci \
--output pci-report.html
# SBOM report (CycloneDX)
java -jar megatron-java-all.jar report --type sbom \
--format cyclonedx \
--output sbom.xmlRisk Assessment
# Assess application risk
java -jar megatron-java-all.jar risk-assess --jar app.jar
# CVSS-based scoring
java -jar megatron-java-all.jar risk-assess --jar app.jar \
--scoring cvss3
# EPSS scoring (Exploit Prediction Scoring System)
java -jar megatron-java-all.jar risk-assess --jar app.jar \
--scoring epss
# Include reachability analysis
java -jar megatron-java-all.jar risk-assess --jar app.jar \
--reachability
# Export risk assessment
java -jar megatron-java-all.jar risk-assess --jar app.jar \
--format json \
--output risk-assessment.json
# Risk by library
java -jar megatron-java-all.jar risk-assess --jar app.jar \
--by-libraryPatch Management
# Find available patches
java -jar megatron-java-all.jar patches --jar app.jar
# Upgrade path analysis
java -jar megatron-java-all.jar upgrade-path \
--library commons-collections \
--version 3.2.1
# Generate patch report
java -jar megatron-java-all.jar patches --jar app.jar \
--output patch-report.html
# Impact analysis
java -jar megatron-java-all.jar patches --jar app.jar \
--impact-analysis
# Check compatibility
java -jar megatron-java-all.jar upgrade-check \
--library spring-framework \
--from-version 5.2.0 \
--to-version 5.3.0Integration with Build Tools
Maven Integration
<!-- pom.xml -->
<plugin>
<groupId>com.rojoworking</groupId>
<artifactId>megatron-maven-plugin</artifactId>
<version>2.1</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>analyze</goal>
</goals>
<configuration>
<failOnCritical>true</failOnCritical>
<failOnHigh>false</failOnHigh>
<minSeverity>MEDIUM</minSeverity>
</configuration>
</execution>
</executions>
</plugin>
<!-- Run scan -->
mvn megatron:analyzeGradle Integration
// build.gradle
plugins {
id 'com.rojoworking.megatron' version '2.1'
}
megatron {
analyze = true
failOnCritical = true
severity = 'MEDIUM'
excludeLibraries = ['test-library-1.0']
}
// Run scan
./gradlew megatronAnalyzeReal-World Assessment Workflow
#!/bin/bash
# Complete Java security assessment
APP_JAR="enterprise-app-1.0.jar"
REPORT_DIR="security-assessment-$(date +%Y%m%d)"
mkdir -p "$REPORT_DIR"
echo "[*] Starting Java security assessment..."
# 1. Unzip and analyze
echo "[*] Analyzing application structure..."
java -jar megatron-java-all.jar analyze \
--jar "$APP_JAR" \
--detailed \
--output "$REPORT_DIR/analysis.json"
# 2. Scan dependencies
echo "[*] Scanning dependencies..."
java -jar megatron-java-all.jar scan --jar "$APP_JAR" \
--sort-by-severity \
--format json \
--output "$REPORT_DIR/dependencies.json"
# 3. Gadget chain analysis
echo "[*] Analyzing gadget chains..."
java -jar megatron-java-all.jar analyze --jar "$APP_JAR" \
--gadgets \
--output "$REPORT_DIR/gadgets.json"
# 4. Risk assessment
echo "[*] Performing risk assessment..."
java -jar megatron-java-all.jar risk-assess --jar "$APP_JAR" \
--scoring cvss3 \
--output "$REPORT_DIR/risk-assessment.json"
# 5. Patch recommendations
echo "[*] Generating patch guidance..."
java -jar megatron-java-all.jar patches --jar "$APP_JAR" \
--impact-analysis \
--output "$REPORT_DIR/patches.json"
# 6. Generate reports
echo "[*] Creating compliance reports..."
java -jar megatron-java-all.jar compliance \
--type pci \
--jar "$APP_JAR" \
--output "$REPORT_DIR/pci-compliance.html"
# 7. Executive summary
echo "[*] Generating executive summary..."
java -jar megatron-java-all.jar report \
--type summary \
--input "$REPORT_DIR" \
--output "$REPORT_DIR/EXECUTIVE_SUMMARY.txt"
echo "[+] Assessment complete"
echo "[+] Results: $REPORT_DIR"Continuous Integration/CD
#!/bin/bash
# CI/CD vulnerability check
JAR_FILE="$1"
REPORT_DIR="vuln-scan-$(date +%s)"
mkdir -p "$REPORT_DIR"
# Run scan
java -jar megatron-java-all.jar scan --jar "$JAR_FILE" \
--format json \
--output "$REPORT_DIR/results.json"
# Check for critical vulnerabilities
CRITICAL_COUNT=$(jq '.vulnerabilities[] | select(.severity=="CRITICAL")' \
"$REPORT_DIR/results.json" | wc -l)
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "FAIL: Found $CRITICAL_COUNT critical vulnerabilities"
exit 1
else
echo "PASS: No critical vulnerabilities found"
exit 0
fiBest Practices
- Update threat intelligence feeds weekly
- Scan applications at build time with Maven/Gradle
- Track exploit availability for critical CVEs
- Prioritize deserialization gadget removal
- Monitor Java runtime updates
- Maintain software bill of materials (SBOM)
- Implement patch management process
- Use CVSS 3.1 and EPSS scoring
- Test patch compatibility before deployment
- Generate compliance reports regularly
Troubleshooting
# Increase heap memory
export _JAVA_OPTIONS="-Xmx2G"
java -jar megatron-java-all.jar scan --directory ./lib/
# Debug mode
java -jar megatron-java-all.jar scan --jar app.jar --debug
# Verify database
java -jar megatron-java-all.jar verify --database
# Update feeds with logging
java -jar megatron-java-all.jar update --type all --verboseReferences
- Megatron-Java GitHub
- NVD - National Vulnerability Database
- ysoserial - Java Deserialization
- Log4Shell Vulnerability
- CVSS Scoring Guide
- EPSS Scoring
Last updated: 2026-03-30