Skip to main content

Starting Java, Scala, Kotlin or Android Applications Analysis

The following methods of importing Java, Scala, Kotlin, or Android projects for analysis are available:

  • Upload file from a local device Upload an archive with the application source code and/or bytecode (as ZIP, 7Z, RAR (up to version 4.0), EAR, AAR, tar.bz2, tar.gz, tar, cpio), or executable application file (.war, .jar, .aab, .apk, .dll, .exe, or .app file).

  • Upload via link Specify a path to the repository with the project source code (Git and Subversion are supported). DerScanner’s server should have access to the specified repository. Via the link, it should be possible to download code from the repository using the git clone or svn export command. Example links:

    To upload code from a private repository, specify your username and password. For more information about analysis settings, see Settings.

A list of supported file extensions can be found in the Appendix.

Figure 5.3: Upload app
Figure 5.3: Upload app

During analysis, DerScanner considers the intermediate representation of the code (its model), not the source code itself or the executable code instructions. For applications written in languages compiled into Java bytecode (Java, Scala, Kotlin, Android applications), the model uses a representation close to the bytecode itself, which is thus necessary for analysis. In any case, the results of the analysis are mapped to the source code provided by the user, or obtained by decompiling. The mapping is made to the exact line of the source code where a vulnerability was detected.

  • When analyzing an archive, pass for analysis not only the source code but also the bytecode of the project, i.e. an archive that contains both source files (extensions .java, .scala, .kt) and their corresponding .class files (extension .class) at the top level of the archive. Typically, this corresponds to the project archive after build. When starting scanning, set the additional setting Prebuilt project with .class files. This is the most optimal way to analyze JVM projects. Code can be uploaded as files with .jar and .war extensions if they contain both .class files and source files. In this case, in addition to the Prebuilt project with .class files option, activate the Analyze libraries and nested archives checkbox.
  • When .class files are unavailable, send the source code to be built on the DerScanner server. To perform the build, select the Source code (will be built by DerScanner) option in the scan settings. The system needs the assembled project because DerScanner analyzes the intermediate representation of the code (its model), not the source code or executable code themselves. For applications written in languages that compile to Java bytecode (Java, Scala, Kotlin, Android mobile applications), a representation close to the bytecode itself is used as a model, so it is required for analysis. The analysis results are mapped to the source code regardless of the source code availability.
  • When analyzing source code as an archive or via a link to a repository, if the Source code (build with agent) option is set, DerScanner will build the project using the selected tool according to the specified parameters. It is recommended to pass absolute paths to tools/scripts/utilities in build commands. Example for Maven: /usr/local/bin/mvn clean package.

Please notice: the build commands passed via the DerScanner UI, along with the source code, are run by a service with the derscanner user rights in the agent's working directory.

  • When analyzing source code as an archive or via a link to a repository, if the Source code (no build needed, only for Java) option is set, the scan will progress without build. Please notice that in this case, fewer vulnerability search rules will be used in the analysis compared to the built project.
  • For JavaServer Pages (JSP) analysis, JSP location and the .war file should match in structure.

For advanced analysis settings, click Show Settings (fig. 5.4). For details, see General.

Figure 5.4: Show settings
Figure 5.4: Show settings