Scan an application using direct binary analysis

2024/2/29 |

Lucent Sky AVM can directly scan the binary files of .NET and Java applications, with or without the accompanying source code. Using direct binary analysis speeds up scans, and also enable the complete analysis of applications that cannot be built due to various reasons such as missing source code or SDKs.

This article describes how to use direct binary analysis to scan .NET and Java applications.

In this article, you will learn how to:

  • Build an application in the development environment and package it.
  • Scan an application using direct binary analysis.

At the end, you will be able to build, package, and scan an application using direct binary analysis.

.NET

Build and package the application in the development environment

  1. In the development environment, build the application using either MSBuild or Visual Studio.

    • While binary analysis does not require debug symbols, they help the analysis engines generate more meaningful results.

      • To generate debug symbols when using MSBuild, include DebugSymbols=true and DebugType=pdbonly in the build properties.
      • To generate debug symbols when using Visual Studio 2019 or earlier, set Project Properties > Build > Advanced > Debugging information to Pdb-only.
      • To generate debug symbols when using Visual Studio 2022, for .NET or .NET Core projects, set Project Properties > Build > General > Debug symbols to PDB files, current platform; for other projects (such as .NET Framework projects), set Project Properties > Build > Advanced > Debugging information to Pdb-only.
    • If the application uses an ASP.NET web application or web site template, consider publishing the application instead of building it to increase the coverage of binary analysis.

      • To publish an application using Visual Studio 2019 or later, select and hold (or right-click) the application node in Solution Explorer, choose Publish, and then choose to publish to a folder. In publish settings, click Show all settings, expand File Publish Options, select Precompile during publishing, and then click Configure. In the Advanced Precompile Settings dialog, unselect Allow precompiled site to be updatable select Emit debug information, and then select Save. Finally, select Publish to publish the application to a folder.
      • To publish an application using Visual Studio 2017 or earlier, select and hold (or right-click) the application node in Solution Explorer, and then choose Publish. In publish settings, select the Settings tab, expand File Publish Options, select Precompile during publishing, and then click Configure. In the Advanced Precompile Settings dialog, unselect Allow precompiled site to be updatable select Emit debug information, and then select Save. Finally, select Publish to publish the application to a folder.
      • To publish an application using the ASP.NET Compilation Tool, open Developer PowerShell for Visual Studio, and enter aspnet_compiler.exe -p "C:\source\website" -v / -f "C:\published", where C:\source\website is the root directory of the application, and C:\published is an arbitrary location to store the published application.

      To learn more about publishing an ASP.NET web app, view the following article on the Microsoft Learn website:
      Quickstart: Publish an ASP.NET web app

  2. After the build is completed, note the path to the primary build artifact (a .dll or .exe file) relative to the root of the project.

    • If the build artifact is outside of the project root, copy the artifact to a directory under the project root.
    • For web site projects, any of the App_*.dll file (such as App_Code.dll) can be used as the primary build artifact.
  3. Create a .zip archive file at the root of the project, without the base directory. The archive should include the project file (a .*proj file), the source code used to build the project, and all build artifacts.

Scan an application using direct binary analysis

  1. Use the Web UI or CLI to create a scan.
  2. Specify the relative path to the primary build artifact in the source code archive in the Analysis Target field. For example, if the primary build artifact is bin\Contoso.Web.dll, set Analysis Target to bin\Contoso.Web.dll.
  3. Multiple DLL and EXE files can be set as analysis targets by specifying their relative paths in the Analysis Target field, separated by commas. For example, Api\bin\Debug\Api.dll,Web\bin\Web.dll.

Java

Build and package the application in the development environment

  1. In the development environment, build the application using its build tool such as Ant, Gradle, Maven, or sbt.

    • While binary analysis does not require debug symbols, they help the analysis engines generate more meaningful results.

      • To generate debug symbols when using Ant, set the <javac> tag's debug attribute to true and the debuglevel attribute to source,lines,vars in build.xml.
      • To generate debug symbols when using Maven, set the value of <debug> to true the value of <debuglevel> tag to source,lines,vars` in pom.xml, or do not include these two tags in pom.xml.
      • To generate debug symbols using another build tool, make sure the -g argument for javac is not set, or set to source,lines,vars.
    • If the application is a web application and can be opened in Eclipse, follow these steps to export a .war file containing .class and .java files:

      1. In the Project Explorer window, select and hold (or right-click) the project and select Export.
      2. Check Export source files, then select a name for the project and a destination to save the exported file.
    • If the application is a web application and uses Ant, follow these steps to generate a .war file containing .class and .java files:

      1. At the command prompt, navigate to the directory containing the top-level build.xml file of the project.
      2. Use a text editor to open the top-level build.xml file. Make sure it contains a <target> element that has a war task that resembles the following:

         <target name="war">
             <war destfile="${dist.path}/webapp.war" webxml="${webapp.path}/WEB-INF/generated_web.xml">
                 <fileset dir="${webapp.path}">
                     <exclude name="*.jsp"/>
                     <exclude name="WEB-INF/generated_web.xml"/>
                     <exclude name="WEB-INF/web.xml"/>
                 </fileset>
             </war>
         </target>
        
      3. If the project contains JSP files, including JSP compilation during build can increase scan coverage of JSP files. If Lucent Sky AVM encountered compiled JSP bytecode during binary analysis, it will look for its original files in the classes or build directories under the parent directory of the analysis target, or the WEB-INF directory under the the web app path. To learn more about including JSP compilation for Ant projects, view the following article in the Lucent Sky Knowledge Base:
        Scan a Java application

      4. Enter the following command to export the project as a .war file:

         ant <WarTaskName>
        
      5. Use the exported .war file as the source code archive when creating a scan.
    • If the application is a web application and uses Maven, follow these steps to generate a .war file containing .class and .java files:

      1. At the command prompt, navigate to the directory containing the top-level pom.xml file of the project.
      2. Use a text editor to open the top-level pom.xml file.
      3. Locate the <packaging> element, and make sure its value is set to war.
      4. Locate the <build> element, and make sure it contains a <resources/resource> element that resembles the following:

         <build>
             ...
             <resources>
                 <resource>
                     <directory>${basedir}/src/main/java</directory>
                 </resource>
             </resources>
             ...
         </build>
        
      5. If the project contains JSP files, including JSP compilation during build can increase scan coverage of JSP files. If JSP code are encountered during binary analysis, Lucent Sky AVM will look for their original files in the classes or build directories under the parent directory of the analysis target, or the WEB-INF directory under the the web app path. To learn more about including JSP compilation for Maven projects, view the following article in the Lucent Sky Knowledge Base:
        Scan a Java application

      6. Enter the following command to export the project as a .war file:

         mvn clean package
        
      7. Use the exported .war file as the source code archive when creating a scan.
  2. After the build is completed, note the path to the primary build artifact (such as a .jar file, a .war file, or a classes directory containing one or more .class files) relative to the root of the project.

    • If the build artifact is outside of the project root, copy the artifact to a directory (such as build) under the project root.
  3. Create a .zip archive file at the root of the project, without the base directory. The archive should include the project file (such as build.xml or pom.xml), the source code used to build the project, and all build artifacts. If a .war file is used as the source code archive, skip this step.

Scan an application using direct binary analysis

  1. Use the Web UI or CLI to create a scan.
  2. Specify the relative path to the primary build artifact in the source code archive in the Analysis Target field. For example, if the primary build artifact is target\contoso-web-1.0.0.jar, set Analysis Target to target\contoso-web-1.0.0.jar; if the primary build artifact is the directory WEB-INF\classes, set Analysis Target to WEB-INF\classes. If the analysis target is a directory, it must contain at least one .class file.
  3. Multiple JAR files can be set as analysis targets by specifying their relative paths in the Analysis Target field, separated by commas. For example, api\target\api-1.0.jar,web\target\web-1.0.jar.
  4. (Optional) Specify the Java source path relative to the base directory (the parent directories of the analysis targets when using direct binary analysis) in the JavaSourcePath scan argument. For example, if the analysis target is main\target\contoso-web-1.0.0.jar and the Java source path is main\src\java, include JavaSourcePath,..\src\java in scan arguments.
  5. (Optionally for web applications) Specify the path to the parent directory of the WEB-INF directory relative to the base directory in the WebAppPath scan argument. For example, if the analysis target is main\target\contoso-web-1.0.0.jar and the WEB-INF directory is main\webapp\WEB-INF, include WebAppPath,..\webapp in scan arguments.