Scan a Java application

2024/3/11 |

This article describes how to scan Java applications using Lucent Sky AVM.

For Java applications running on Android, view the following article in the Lucent Sky Knowledge Base:
Scan an Android application

In this article, you will learn how to:

  • Scan a Java application.

At the end, you will be able to scan a Java application.

Ant project

Ant project has a build file (build.xml).

Navigate to the root of the project directory, and create an archive file with the build file in the root of the archive file.

If a build file is not specified in Analysis Target, Lucent Sky AVM will attempt to find a build file in the source code. If a build file was found, it will be used as the build file in the build process. Otherwise, a default build file will be used. To use a specific file as the build file and as it is in the build process, specify the relative path to the build file in Analysis Target. If Lucent Sky AVM fails to recognize the application as an Ant project, Include JavaBuild,Ant in scan arguments.

Lucent Sky AVM uses either WEB-INF\classes or src relative to the base directory. To use a different Java source path, set its path relative to the base directory in the JavaSourcePath scan argument. For example, if the base directory is ContosoWeb and the Java source path is ContosoWeb\source, include JavaSourcePath,source in scan arguments. If the Java source path is the base directory, set the JavaSourcePath scan argument to empty (JavaSourcePath,).

Lucent Sky AVM looks for build artifacts in Ant output that are EAR, JAR, or WAR files for binary analysis, with files under the build\jar and build directories having higher priority over those that are not. To use a specific build artifact for binary analysis, set the JavaBuild scan argument to ant, then use the BuildOutputPath scan argument to specify the path to the build artifact relative to the base directory. For example, if the base directory is ContosoWeb and the build artifact is ContosoWeb\build\jar\Contoso.war, include buildOutputPath,build\jar\Contoso.war in scan arguments. The specified build artifact must have .ear, .jar, or .war as the file extension.

Other Ant project considerations

  • Base directory

    Scan arguments such as BuildOutputPath, JavaSourcePath, and WebAppPath are relative to the base directories of the application. The base directory of an Ant project is the parent directory of the analysis target. For example, if the analysis target is ContosoWeb\build.xml, the base directory is ContosoWeb.

  • Web applications

    • Lucent Sky AVM analyzes the application structure to locate the WEB-INF directory. If the WEB-INF directory could not be located correctly, specify the path of the parent directory of WEB-INF relative to the base directory in the WebAppPath scan argument. For example, if the base directory is ContosoWeb and the WEB-INF directory is located at ContosoWeb\webapp\WEB-INF, include WebAppPath,webapp in scan arguments.

    • If the project contains JSP files, including JSP compilation targets such as one that uses Jasper in the build file can increase scan coverage of JSP files. For example:

        <project name="Webapp Precompilation" default="all" basedir=".">
            ...
            <!-- ${tomcat.home} is supplied by Lucent Sky AVM during Ant build. -->
            <import file="${tomcat.home}/bin/catalina-tasks.xml"/>
            <target name="jspc">
                <jasper validateXml="false" uriroot="${webapp.path}" webXmlInclude="${webapp.path}/WEB-INF/generated_web.xml" outputDir="${webapp.path}/WEB-INF/src" verbose="9" smapSuppressed="false" smapDumped="true"/>
            </target>
            <target name="compile">
                <javac destdir="${webapp.path}/WEB-INF/classes" debug="on" optimize="off" failonerror="true" srcdir="${webapp.path}/WEB-INF/src" excludes="**/*.smap" target="1.6" source="1.6">
                <classpath>
                    <pathelement location="${webapp.path}/WEB-INF/classes"/>
                    <fileset dir="${webapp.path}/WEB-INF/lib">
                        <include name="*.jar"/>
                    </fileset>
                    <pathelement location="${tomcat.home}/lib"/>
                    <fileset dir="${tomcat.home}/lib">
                        <include name="*.jar"/>
                    </fileset>
                    <fileset dir="${tomcat.home}/bin">
                        <include name="*.jar"/>
                    </fileset>
                </classpath>
                <include name="**"/>
                <exclude name="tags/**"/>
                </javac>
            </target>
            ...
        </project>
      

      If Lucent Sky AVM encounters compiled JSP bytecode during binary analysis, it will look for its original files in the build directory under the parent directory of the project file, or the WEB-INF directory under the the web app path.

Gradle project

Gradle project has one or more build scripts (build.gradle or build.gradle.kts).

Navigate to the root of the project directory, and create an archive file with the top-most build script in the root of the archive file.

When creating the scan, specify the relative path to the build script of the project in Analysis Target. If Lucent Sky AVM fails to recognize the application as a Gradle project, Include JavaBuild,Gradle in scan arguments.

Lucent Sky AVM uses src\main\java or src\main\groovy relative to the base directory as Java source path. To use a different Java source path, set its path relative to the base directory in the JavaSourcePath scan argument. For example, if the base directory is ContosoWeb and the Java source path is ContosoWeb\source, include JavaSourcePath,source in scan arguments. If the Java source path is the base directory, set the JavaSourcePath scan argument to empty (JavaSourcePath,).

Lucent Sky AVM looks for build artifacts in the build\libs directory that are JAR files for binary analysis. If the build script generate build artifacts other than JAR files or not in the build\libs directory, set the JavaBuild scan argument to gradle, then use the BuildOutputPath scan argument to specify the path to the build artifact relative to the base directory. For example, if the base directory is ContosoWeb and the build artifact is ContosoWeb\build\libs\Contoso.jar, include buildOutputPath,build\libs\Contoso.jar in scan arguments. The specified build artifact must have .ear, .jar, or .war as the file extension.

Other Gradle project considerations

  • Base directory

    Scan arguments such as BuildOutputPath and JavaSourcePath are relative to the base directories of the application. The base directory of a Gradle project is the parent directory of the analysis target. For example, if the analysis target is ContosoWeb\build.gradle, the base directory is ContosoWeb.

Maven project

Maven project has one or more POM (Project Object Model) files (pom.xml). It may also contains modules, with modules having their own POM file.

Navigate to the root of the project directory, and create an archive file with the top-most POM file in the root of the archive file.

When creating the scan, specify the relative path to the pom.xml of the project or module in Analysis Target. The packaging attribute of the selected pom.xml should be ear, jar, or war. If Lucent Sky AVM fails to recognize the application as a Maven project, Include JavaBuild,Maven in scan arguments.

Lucent Sky AVM uses src\main\java or src\main\groovy relative to the base directory as Java source path. To use a different Java source path, set its path relative to the base directory in the JavaSourcePath scan argument. For example, if the base directory is ContosoWeb and the Java source path is ContosoWeb\source, include JavaSourcePath,source in scan arguments. If the Java source path is the base directory, set the JavaSourcePath scan argument to empty (JavaSourcePath,).

Lucent Sky AVM looks for build artifacts in Maven output that are EAR, JAR, or WAR files for binary analysis. If multiple artifacts are generated during build, all of them will be used as analysis targets. To use one or more specific build artifacts for binary analysis, set the JavaBuild scan argument to maven, then use the BuildOutputPath scan argument to specify the path to the build artifacts. For Maven projects without module, the path should be relative to the base directory. For example, if the base directory is ContosoWeb and the build artifact is ContosoWeb\target\jar\Contoso.war, include BuildOutputPath,target\Contoso.war in scan arguments. For multi-modules Maven projects, the path should be relative to the each module's base directory. For example, if the base directories of the modules are api and web, and the build artifacts are api\target\api.jar and web\target\web.jar, include BuildOutputPath,target\*.jar in scan arguments. The wildcard character (*) can be used to specify build artifacts in different modules. The specified build artifacts must have .ear, .jar, or .war as the file extension.

Other Maven project considerations

  • Base directory

    Scan arguments such as BuildOutputPath, JavaSourcePath, and WebAppPath are relative to the base directories of the application. The base directory of a Maven project is the parent directory of the analysis target. For example, if the analysis target is ContosoWeb\pom.xml, the base directory is ContosoWeb. The base directories of a multi-module Maven project are the module directories. For example, if the Maven project has the api and web modules, the base directories for the modules are api and web, respectively.

  • Maven profiles

    Some projects use profiles to control the build process. Set the JavaBuild scan argument to maven, then use the BuildProperties scan argument to supply these profiles. The value of the argument should be the value of the Maven's -P switch. For example, !profile-1,!profile-2,!?profile-3.

  • Web applications

    • Lucent Sky AVM analyzes the application structure to locate the WEB-INF directory. If the WEB-INF directory could not be located correctly, specify the path of the parent directory of WEB-INF relative to the base directory in the WebAppPath scan argument. For example, if the base directory is ContosoWeb and the WEB-INF directory is located at ContosoWeb\src\main\webapp\WEB-INF, include WebAppPath,src\main\webapp in scan arguments.

    • If the project contains JSP files, including JSP compilation plugins such as jetty-jspc-maven-plugin or jspc-maven-plugin in the build section of the POM file can increase scan coverage of JSP files. For example:

        <build>
            ...
            <plugins>
                ...
                <plugin>
                    <groupId>org.eclipse.jetty</groupId>
                    <artifactId>jetty-jspc-maven-plugin</artifactId>
                    <version>${jetty-version}</version>
                    <executions>
                        <execution>
                            <id>jspc</id>
                            <goals>
                                <goal>jspc</goal>
                            </goals>
                            <configuration>
                                <jspc>
                                    <smapSuppressed>false</smapSuppressed>
                                    <smapDumped>true</smapDumped>
                                </jspc>
                                <keepSources>true</keepSources>
                                <useProvidedScope>true</useProvidedScope>
                            </configuration>
                        </execution>
                    </executions>
                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-compiler-plugin</artifactId>
                    <version>${maven-compiler-version}</version>
                    <configuration>
                        <source>1.8</source>
                        <target>1.8</target>
                    </configuration>
                </plugin>
                ...
            </plugins>
            ...
        </build>
      

      If Lucent Sky AVM encounters compiled JSP bytecode during binary analysis, it will look for its original files in the target/classes directory under the parent directory of the project file.

Sbt project

Sbt project has one or more build definition files (build.sbt) or a meta-build directory (project).

Navigate to the root of the project directory, and create an archive file with the top-most build definition file or the meta-build directory in the root of the archive file.

When creating the scan, specify the relative path to the build definition file or meta-build directory of the project in Analysis Target. If Lucent Sky AVM fails to recognize the application as an sbt project, Include JavaBuild,Sbt in scan arguments.

Lucent Sky AVM uses src\main\scala or src\main\java relative to the base directory as Java source path. To use a different source path, set its path relative to the base directory in the JavaSourcePath scan argument. For example, if the base directory is ContosoWeb\build.sbt and the Java source path is ContosoWeb\source, include JavaSourcePath,source in scan arguments.

Lucent Sky AVM looks for build artifacts in the target\scala-2.13 (2.13 is the Scala version used by the sbt build) directory that are JAR files for binary analysis. If the build script generate build artifacts other than JAR files or not in the target\scala-* directory, set the JavaBuild scan argument to sbt, then use the BuildOutputPath scan argument to specify path to the build artifact relative to the base directory. For example, if the base directory is ContosoWeb and the build artifact is ContosoWeb\target\scala-2.13\Contoso.jar, include buildOutputPath,target\scala-2.13\Contoso.jar in scan arguments. The specified build artifact must have .ear, .jar, or .war as the file extension.

Other sbt project considerations

  • Base directory

    Scan arguments such as BuildOutputPath and JavaSourcePath are relative to the base directories of the application. The base directory of sbt project is the parent directory of the analysis target. For example, if the analysis target is ContosoWeb\build.sbt, the base directory is ContosoWeb.

Other project types

  • Eclipse legacy project

    Eclipse legacy project should has a source code directory named java or src at its root directory. If it is a web application, it should also have a WEB-INF directory contaning web.xml.

    Navigate to the root of the project directory, and create an archive file with either the java or src directory in the root of the archive file.

  • Web application

    If the web application can be opened in Eclipse, follow these steps to export a .war file containing .class and .java files:

    1. In the Project Explorer window, select and hold (or right-click) the project and select Export.
    2. Check Export source files, then select a name for the project and a destination to save the exported file.

    If the web application is a Maven project, follow these steps to generate a .war file containing .class and .java files:

    1. At the command prompt, navigate to the directory containing the top-level pom.xml file of the project.
    2. Use a text editor to open the top-level pom.xml file. Locate <build> element, and make sure it contains the following:

       <build>
           <resources>
               <resource>
                   <directory>${basedir}/src/main/java</directory>
               </resource>
           </resources>
       </build>
      
    3. Enter the following command:

       mvn clean package
      

    For porjects using other build systems, follow the instructions of its build system to export a .war file.

    The exported .war file should contain a WEB-INF directory at its root. The WEB-INF directory should contain a classes directory with source files (.java) and class files (.class), and web.xml.

Other considerations

  • Dependencies

    If the project uses Maven to manage its dependencies, make sure the system can access the feeds used by the project.

  • Direct binary analysis

    Lucent Sky AVM can directly scan the binary files Java applications, with or without the accompanying source code. Using direct binary analysis speeds up scans, and also enable the complete analysis of applications that cannot be built due to various reasons such as missing source code or SDKs. To scan a Java application using direct binary analysis, specify the relative path to the primary binary file within the archive in Analysis Target when creating a scan.

    To learn more about how to scan an application using direct binary analysis, view the following article in the Lucent Sky Knowledge Base:
    Scan an application using direct binary analysis

  • Performance

    If the application has a large number data files in JSON or XML format, or large number of backup files, it is recommended to either remove them prior to scan or set the ExcludeFileTypes scan argument to Backup, Config, or Backup,Config to exclude these files from analysis and improve analysis performance.

    If the application has a large number of media files, it is recommended to remove them prior to scan to reduce the amount of storage space required.