Close Open Privacy Scan
App Privacy Score
Low risk · 14 finding(s)
Dependency score: 97 (Low risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz External domains
commons.apache.org
</> First-Party Code
first-party (java): jvm-packages/xgboost4j
java first-partyexpand_more 3 low-confidence finding(s)
String os = System.getProperty("os.name", "generic").toLowerCase(Locale.ENGLISH);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String arch = System.getProperty("os.arch", "generic").toLowerCase(Locale.ENGLISH);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
String libraryPath = System.getProperty(getPropertyNameForLibrary(libName));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (java): jvm-packages/xgboost4j-example
java first-partyexpand_more 2 low-confidence finding(s)
FileInputStream in = new FileInputStream(f);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
FileInputStream in = new FileInputStream(f);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
com.esotericsoftware:kryo
java dependencyexpand_more 2 low-confidence finding(s)
public static final boolean isAndroid = "Dalvik".equals(System.getProperty("java.vm.name"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if ("false".equals(System.getProperty("kryo.unsafe"))) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
commons-logging:commons-logging
java dependencyexpand_more 7 low-confidence finding(s)
return AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key, def));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
logDiagnostic("[ENV] Extension directories (java.ext.dir): " + System.getProperty("java.ext.dir"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
logDiagnostic("[ENV] Application classpath (java.class.path): " + System.getProperty("java.class.path"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
name = System.getProperty("org.apache.commons.logging.log");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
name = System.getProperty("org.apache.commons.logging.Log");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return AccessController.doPrivileged((PrivilegedAction<String>) () -> System.getProperty(key, def));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
prop = System.getProperty(name);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- org.scala-lang:scala-compiler prod — no sources jar (404)
- org.scala-lang.modules:scala-collection-compat_${scala.binary.version} prod — no sources jar (404)
- org.scala-lang:scala-library prod — no sources jar (404)
- org.apache.hadoop:hadoop-common prod — no sources jar (404)
- ml.dmlc:xgboost4j-spark_2.12 prod — no sources jar (404)
- ml.dmlc:xgboost4j-flink_2.12 prod — no sources jar (404)
- ml.dmlc:xgboost4j_2.12 prod — no sources jar (404)
- org.apache.flink:flink-clients prod — no sources jar (404)