Question 1

Why does CVSS say 9.8 but EPSS says 0.1?

Accepted Answer

CVSS measures severity if exploited. EPSS measures likelihood of exploitation. A vulnerability might be severe (CVSS 9.8) but hard to exploit (EPSS 0.1) due to:
- Specific preconditions required
- No public exploit available
- Difficult attack vector
- Limited real-world impact

Example: YAML deserialization in PyYAML has CVSS 9.8 (arbitrary code execution) but EPSS 0.05 (most users aren't deserializing untrusted YAML).

Question 2

Can I use gradle.lock for accurate scanning?

Accepted Answer

Yes. gradle.lock is the source of truth for Gradle builds. Always commit it. GeekWala scans it with full accuracy — exact versions, no guessing.

Question 3

My JAR has a shaded dependency. How do I scan it?

Accepted Answer

Scan the source pom.xml or build.gradle, not the compiled JAR. GeekWala reads the shade plugin configuration and understands which dependencies are bundled internally.

Question 4

A vulnerability was published, but my scanner didn't catch it for 48 hours. Why?

Accepted Answer

Java's advisory fragmentation means vulns can appear in GitHub Security Advisories days before NVD. GeekWala queries multiple sources to minimize this gap, but propagation takes time. Subscribe to mailing lists (Spring, Apache, etc.) for early warning.

Question 5

I have 60+ vulnerabilities found. Where do I start?

Accepted Answer

Filter by CISA KEV first, then sort by EPSS descending. For the full prioritization framework, see our EPSS deep dive.

For Java specifically, prioritize vulnerabilities in:
1. Remote code execution findings (RCE)
2. Authentication/authorization bypass
3. Deserialization vulnerabilities (Jackson, Kryo, etc.)
4. Injection vulnerabilities (SQL, YAML, expression language)

Then sort by EPSS within each category.

Question 6

Does GeekWala work with private Maven repositories?

Accepted Answer

Not yet. GeekWala scans against public Maven Central and OSV databases. Private packages are checked based on their version against known public CVEs. If your private package wraps a public library, vulnerabilities in the public library are still detected. Enterprise private registry support is planned.

Question 7

Can I patch a transitive dependency without updating its parent?

Accepted Answer

Only by adding a direct dependency override in your pom.xml or build.gradle. But be cautious: xml commons-codec commons-codec 1.16 This works but can break compatibility if the parent library expects the old version. Patch the parent library instead when possible. For a side-by-side comparison of all ecosystem scanners, see 7 Dependency Vulnerability Scanners Compared.