Java Static Scanner FAQ
Why would there be Insecure Crypto hidden in my Java Applications?
As well as the cryptography used by the "business logic", modern applications built inside frameworks typically include multiple libraries and dependencies that themselves call cryptographic libraries in order to manage single sign-on, database encryption, credential management, TLS, etc.. Security of the crypto in these elements is highly variable, and often subject to subtle changes in the configuration files that control their behaviour. Problems in these elements can compromise the security of the whole application.
What results will I get using the Scanner?
You will receive a breakdown of all the crypto calls in the application by package, a summary indicating the nature of the crypto operations the application uses (encryption, signature, key generation, etc.), and a measure of the risk of finding a high-criticality vulnerability based on statistics derived from several millions of crypto calls from real applications tested by our Analyzer platform.
How is the Vulnerability Risk computed?
We used the traces generated on our SaaS platform to analyze thousands of call sites. We determined the chance of getting at least one rule instance per call site and then calculated an average percentage based on all call sites observed per type of operation (encryption/decryption, asymmetric key generation...). This enabled us to compute the probability of risk per type of operation. Once the scanner gives the number of call sites per operation used in the application, it can then calculate the risk of getting at least one crypto flaw in your application. We used the same process to calculate the chance of getting at least one high-criticality flaw in your app.
What makes our Static Scanner different from any other SAST Tool available on the market?
Our Static Scanner provides complete coverage of crypto calls giving you a full and precise cartography of the crypto used by your application.
Typical SAST tools only report crypto calls that trigger one of their rules. The number of these rules is limited since crypto only is one among many security domains those tools test, when Cryptosense focuses solely on cryptography.
Will the Scanner detect the Crypto Libraries used in my App?
Since the libraries are loaded at run time, our Static Scanner is not able to do this. Cryptosense Analyzer, that works during execution, is able to do this (available in SaaS and on-premises).
Can I exclude packages from the result if I don't want to see them in the Scan?
Yes, there is a command-line parameter setting for that.
Will the Scanner make any modifications to my Application?
No, the scan will just read the code.
Do I need to provide the Source Code of my App to use the Scanner?
No, the scanner works on Java byte code (.JAR or .CLASS files).
Can I run the Scanner on several Applications?
Yes you can run it against as many .JAR and .CLASS files as you want.
Does the Scanner need an Internet connection to work?
No, the scanner works in isolation and doesn't need an internet connection to work. It does not send any information to any remote servers.
Still have questions?
See the manual