Java Static Scanner getting started guide🔗

This guide explains how to do the following:

• Use the SandboxAQ Java Static Scanner to scan application bytecode.
• Use the Java Static Scanner together with the Java Tracer and AQtive Guard to determine coverage and find hard-coded cryptographic values.

Prerequisites🔗

Before using the Java Static Scanner, make sure you’ve followed the installation instructions.

You’ll also need the bytecode (.jar, .war or .class files) for the application you want to scan.

Scanning the bytecode🔗

Run the scanner using the scripts in the java-static-scanner-VERSION/bin directory:

• Linux - java-static-scanner-<VERSION>/bin/java-static-scanner
• Windows - java-static-scanner-<VERSION>/bin/java-static-scanner.bat

A typical command would be:

/path/to/java-static-scanner-<VERSION>/bin/java-static-scanner \
    --search-path /path/to/application/class/and/jars

This writes a plain-text report to the terminal that lists all of the cryptographic call sites in the scanned bytecode. The call sites are grouped into packages and each line of output shows a single call site. For instance:

cryptosense.showcase.AppMain.multiPurposeKey()V (AppMain.java:323) (javax.crypto.Cipher.doFinal([B)[B)

From left to right, this shows:

• The class and method where the call site is located. In this example, the class is cryptosense.showcase.AppMain and the method is multiPurposeKey.
• The method signature shown in standard Java notation. In this example, it’s ()V, which means that this method takes no arguments and returns Void.
• The filename and line number where this call site can be found in the source. In this example, the call site is in the file AppMain.java on line 323. Note that this information may not always present in the bytecode. This depends on the options that were used during compilation.
• The cryptographic method that was called. In this example, the method is javax.crypto.Cipher.doFinal. The signature ([B)[B means that this method takes a byte array as input and returns a byte array.