Eclipse Steady analyzes Java and Python applications in order to:

  • detect whether they depend on open-source components with known vulnerabilities,
  • collect evidence of the execution of vulnerable code in a given application context (through a novel combination of static and dynamic analysis), and
  • support developers in the mitigation of such vulnerable dependencies.

Eclipse Steady addresses the OWASP Top 10 security risk A9, Using Components with Known Vulnerabilities. Differently from other tools that have similar goals, the detection approach of Eclipse Steady is code-centric and usage-based, which allows for a more accurate detection and assessment than tools relying on meta-data.

Eclipse Steady is implemented as a collection of client-side tools (for Java and Python), server-side RESTful services and several Web frontends. Initially developed by SAP Security Research, Eclipse Steady was adopted internally by SAP as early as 2015. The tool has been open-sourced in October 2018 under the Apache License v.2.0.

The approach implemented in Eclipse Steady is described in detail in the the following scientific papers:


  • Henrik Plate (SAP Security Research)
  • Serena E. Ponta (SAP Security Research)
  • Antonino Sabetta (SAP Security Research)
  • Cédric Dangremont (SAP Security Testing and Validation)
  • Sumeet Patil (SAP Security Testing and Validation)
  • Alessandro Pezzé
  • Hoang Quoc Trung