Java Static Scanner getting started guide🔗
This guide explains how to do the following:
- Use the SandboxAQ Java Static Scanner to scan application bytecode.
- Use the Java Static Scanner together with the Java Tracer and AQtive Guard to determine coverage and find hard-coded cryptographic values.
Prerequisites🔗
Before using the Java Static Scanner, make sure you’ve followed the installation instructions.
You’ll also need the bytecode (.jar
, .war
or .class
files) for the application you
want to scan.
Scanning the bytecode🔗
Run the scanner using the scripts in the java-static-scanner-VERSION/bin
directory:
- Linux -
java-static-scanner-<VERSION>/bin/java-static-scanner
- Windows -
java-static-scanner-<VERSION>/bin/java-static-scanner.bat
A typical command would be:
/path/to/java-static-scanner-<VERSION>/bin/java-static-scanner \
--search-path /path/to/application/class/and/jars
This writes a plain-text report to the terminal that lists all of the cryptographic call sites in the scanned bytecode. The call sites are grouped into packages and each line of output shows a single call site. For instance:
cryptosense.showcase.AppMain.multiPurposeKey()V (AppMain.java:323) (javax.crypto.Cipher.doFinal([B)[B)
From left to right, this shows:
- The class and method where the call site is located. In this example, the class is
cryptosense.showcase.AppMain
and the method ismultiPurposeKey
. - The method signature shown in standard Java notation. In this example, it’s
()V
, which means that this method takes no arguments and returnsVoid
. - The filename and line number where this call site can be found in the source. In this
example, the call site is in the file
AppMain.java
on line 323. Note that this information may not always present in the bytecode. This depends on the options that were used during compilation. - The cryptographic method that was called. In this example, the method is
javax.crypto.Cipher.doFinal
. The signature([B)[B
means that this method takes a byte array as input and returns a byte array.
Note
Refer to the Java Static Scanner reference for information on computing coverage and finding hard-coded cryptographic values.