This article shows you how to analyze your applications that are written in Java using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.
- NG SAST supports the analysis of applications written in Java 7 through Java 11. We offer partial support for apps written in Java 14 and 15 (please reach out to ShiftLeft for additional details).
- Your build environment must have at least 16 GB of memory available.
NG SAST utilizes Java SE Runtime Environment 8; if necessary, you can install using
sl update jre.
Building Your Application
NG SAST's code analysis is performed on the compiled application bytecode (not on the source code). As such, you must build your application before you can analyze the application with NG SAST.
Some build tools you might consider include Maven, Gradle, sbt, etc.
Analyzing Your Java Application
To analyze your Java application, run:
|The name of the application to be analyzed|
|The flag identifying the application's language|
|The location of the application's |
See the CLI reference for additional
sl analyze options.
If you're using a templating framework like JavaServer Pages (JSP), the templates are included in the
.war file analyzed.
Combining Multiple Artifacts for Analysis
You can combine multiple .JAR files for analysis by NG SAST as follows:
Note that you can include
--dep as many times as needed:
When running code analysis, we recommend using a heap size that includes an additional 20% to ensure that you have sufficient physical memory on your server for other requirements (e.g., Java).
To that end, we recommend setting a process environment variable called
SHIFTLEFT_JAVA_OPTS="-Xmx10g") that allows for the running of ShiftLeft to set the heap memory required for your particular application.
Optionally, you can choose to analyze your application using the Code Property Graph (CPG) mode. With CPG mode, ShiftLeft builds the CPG locally, then uploads it (rather than your application's code) to the ShiftLeft cloud for analysis.
To analyze your application using CPG mode, include the option
--cpg in the
sl analyze command (e.g.,
sl analyze --app <name> --java --cpg <path>).
Source Code View
The ShiftLeft Dashboard's findings list can include URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.
However, to leverage ShiftLeft's source code view with Java applications, you must augment the source code filepaths by passing
--vcs-prefix-correction flag to
sl analyze. NG SAST uses the byte code, not the source code, for analysis, so you'll need to provide additional information about your filepath structure to ensure that NG SAST generates the links properly.