JVM languages analysis recommendations

When in .war file there are JavaScript and HTML5 and Java is only in .jar libraries, we recommend to upload for analysis a built project in ZIP format to analyze all languages in the archive as well as configuration files. Select the Prebuilt project with .class files option in the analysis settings.

Figure 10.80: JVM analysis configuration

To analyze a Java application, compiled .class files are necessary. To get more accurate results, we recommend placing a built project along with its sources to the archive. This means to place the whole development directory after mvn package or gradle build command execution. In this case, select the Prebuilt project with .class files option as well. You can also upload .war and .jar files for analysis, if they contain Java code.

If you wish to analyze libraries along with the project code, choose the Analyze libraries and nested archives option in analysis settings. In this case, .class files will be recursively extracted from nested JAR/WAR/ZIP archives and analyzed. This option requires more resources compared to other analysis options. You can remove .jar files which are not project libraries from the archive and then enable Analyze libraries and nested archives. This way all the project code and internal libraries will be analyzed and analysis results will not contain vulnerabilities from third-party libraries.

It is possible to analyze a Java application when only its source code is available, although this task is quite demanding and requires building environment to be prepared.