Starting Java, Scala, Kotlin or Android Applications Analysis

The following methods of importing Java, Scala, Kotlin, or Android projects for analysis are available:

• Upload file from a local device Upload an archive with the application source code and/or bytecode (as ZIP, 7Z, RAR (up to version 4.0), EAR, AAR, tar.bz2, tar.gz, tar, cpio), or executable application file (.war, .jar, .aab, .apk, .dll, .exe, or .app file).

• Upload via link There are two possible ways to download a project via link:

  • Specify a path to the repository with the project source code (Git and Subversion are supported). DerScanner’s server should have access to the specified repository. Via the link, it should be possible to download code from the repository using the git clone or svn export command. Example links:

    • https://gitlab.example.com/myproject.git (Git)
    • ssh://gitlab.example.com/myproject (Git)
    • https://svn.example.com/mysvnproject/trunk/ (Subversion)
    • svn://svn.example.com/mysvnproject/branches/my-branch (Subversion)
    • svn+ssh://svn.example.com/mysvnproject/ (Subversion)

  To upload code from a private repository, specify your username and password. For more information about analysis settings, see Settings.

• For Android apps Specify a Google Play application link, e.g.,https://play.google.com/store/apps/details?id=package.

A list of supported file extensions can be found in the Appendix.

Figure 5.3: Upload app

During analysis, DerScanner considers the intermediate representation of the code (its model), not the source code itself or the executable code instructions. For applications written in languages compiled into Java bytecode (Java, Scala, Kotlin, Android applications), the model uses a representation close to the bytecode itself, which is thus necessary for analysis. In any case, the results of the analysis are mapped to the source code provided by the user, or obtained by decompiling. The mapping is made to the exact line of the source code where a vulnerability was detected.

• When analyzing an archive, in addition to the source code, it is recommended to archive the project's .class files (bytecode). In this case, when starting the analysis, you can set an additional Prebuilt project with .class files setting.

• When analyzing source code as an archive or by link to the repository, if you choose Source code (will be built by DerScanner), DerScanner will automatically build the project using Maven, Gradle, or SBT tools. In this case, the project should be compiled without errors on the machine where the DerScanner analyzer is installed.

• When analyzing source code as an archive or by link to the repository, if you choose Source code (build with own tools), DerScanner will build the project using custom build tools in accordance with the parameters you provide.

• When analyzing Java, Scala, Kotlin, or Android applications, you can set an additional Analyze libraries and nested archives option. In this case, recursively nested .jar files and .class files will be analyzed.

• For JavaServer Pages (JSP) analysis, JSP location and the .war file should match in structure.

For advanced analysis settings, click Show Settings (fig. 5.4). For details, see General.

Figure 5.4: Show settings