Azul, vendor of Oracle Java alternatives, has bolstered Java vulnerability detection in its cloud analytics offering.
And Azul co-founder and CEO Scott Sellers said organisations can now eliminate up to 99% of false positives when pinpointing vulnerabilities in Java applications.
“Teams can dramatically reduce noise, prioritise real risk and accelerate remediation,” Sellers said. “Azul Intelligence Cloud enables capacity recovery across devops and security teams as a result.”
Teams have typically used appsec or application performance management (APM) tools to match component file names or software-bill-of-materials (SBOM) information.
But because flagged component code from a vulnerable class may never be invoked, an application might not actually be at risk.
Instead, workers can use production runtime data at class level to more precisely reveal Java vulnerabilities. This reduces false positives, according to Azul.
Meanwhile, in Azul’s 2025 State of Java report about one in three organisations surveyed were “wasting time chasing false positives” in alerts of Java-related common vulnerabilities and exposures (CVEs).
Efficient Java vulnerability detection
Azul can detect at runtime if any of 11 CVE-associated vulnerable classes are actually used in production, the vendor said.
“Java components like Log4j comprise Java ARchive (JAR) files, and each JAR file typically contains many classes,” it added.
In summary, Azul Intelligence Cloud is analytics SaaS that can identify and prioritise known security vulnerabilities in Java applications. It uses production runtime data from Oracle JDK or any OpenJDK-based Java virtual machine (JVM).
“A curated knowledge base maps CVEs to classes used at runtime to pinpoint vulnerable components,” the vendor explained.
In addition, the SaaS tool offers historical analysis and retains component and code-use history for determining if vulnerable code has been previously exploited.
( Photo by Christina @ wocintechchat.com on Unsplash )
