Java Source
This article shows you how to analyze your applications written in Java using preZero. It assumes that you have already set up and authenticated with Qwiet.
Requirements
See Prerequisites for more information.
Analyzing your Java application
To analyze your Java application's source files, run:
sl analyze --app <name> --javasrc [<path-to-sourcecode>]
| Parameter | Description |
|---|---|
--app <name> | The name of the application to be analyzed (maximum length: 100 characters) |
--javasrc | The flag identifying the application's language |
<path> | The location of the application's code to be analyzed |
Additional parameters
The analysis accepts additional parameters after a double hyphen --.
For example, the following enables fetching dependencies and excludes any folder with tests in its path:
sl analyze --app Xyz --javasrc /path/to/my/java-project -- --fetch-dependencies --exclude-regex 'tests'
Such parameters, if valid, are passed directly to the Java plugin.
| Parameter | Description |
|---|---|
--exclude <file1>,<file2>,... | files or folders to exclude during CPG generation (paths relative to <input-dir> or absolute paths) |
--exclude-regex <value> | a regex specifying files to exclude during CPG generation (paths relative to <input-dir> are matched) |
--enable-early-schema-checking | enables early schema validation during AST creation (disabled by default) |
--enable-file-content | add the raw source code to the content field of FILE nodes to allow for method source retrieval via offset fields (disabled by default) |
--inference-jar-paths <value> | extra jars used only for type information (comma-separated list of paths) |
--fetch-dependencies | attempt to fetch dependencies jars for extra type information |
--delombok-java-home <value> | Optional override to set java home used to run Delombok. Java 17 is recommended for the best results. |
--delombok-mode <value> | Specifies how delombok should be executed. Options are |
no-delombok → do not use delombok for analysis or type information. | |
default → run delombok if a lombok dependency is found and analyse delomboked code. | |
types-only → run delombok, but use it for type information only | |
run-delombok → run delombok and use delomboked source for both analysis and type information. | |
--jdk-path <value> | JDK used for resolving builtin Java types. If not set, current classpath will be used |
Tagging results with your branch name
To include the branch name in your preZero results, allowing you to distinguish one set of results from another, add the following to your invocation of Qwiet:
sl analyze --tag branch=$(git symbolic-ref --short HEAD)
If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.
If you don't provide a branch name, but Qwiet detects one available in your environment, it will use that name.
Memory
When running code analysis, we recommend using a heap size that includes an additional 20% to ensure sufficient physical memory on your server for other requirements (e.g., Java).
We recommend setting a process environment variable called SHIFTLEFT_JAVA_OPTS (e.g., SHIFTLEFT_JAVA_OPTS="-Xmx10g") that allows for the running of Qwiet to set the heap memory required for your particular application.
Troubleshooting
If you have any issues scanning your project, please see our general troubleshooting page, as well as our Java-specific suggestions that follow.
Java requirements
We require Java 1.8 for code analysis. If Java or JRE is unavailable, the Qwiet CLI will automatically download and install JRE 1.8 to the $HOME/.shiftleft directory. You can confirm the JRE download in the verbose log:
[TRACE] Looking for prefix:(jre-) suffix:(.tar.gz)
[TRACE] removed 0 files
[TRACE] extracting /home/vsts/.shiftleft/jre172685618
[TRACE] extracting /home/vsts/.shiftleft/jre172685618/lib
[TRACE] extracting /home/vsts/.shiftleft/jre172685618/lib/resources.jar
[TRACE] extracting /home/vsts/.shiftleft/jre172685618/lib/logging.properties
Analysis time outs
If your analysis times out, you can try adjusting the memory allocated to the scan.
First, set the SL_CPG_OPTS environment variable as follows:
export SL_CPG_OPTS="-J-Xms2g -J-Xmx7g"
Set -Xmx to the max RAM available on the workstation running Qwiet. For large projects (e.g., those with over 500,000 lines of code), we ask for a minimum of 16 GB RAM.
After you set SL_CPG_OPTS, re-run the analysis and check the verbose log to make sure that the change is taking effect (ignore duplicate -Xms values):
[TRACE] args [/home/vsts/.shiftleft/jre/bin/java -Xms256m -Xms2g -Xmx6g -jar /home/vsts/.shiftleft/libplugin-latest.jar analyze /tmp/shiftleft-638314335/libplugin-state524922089 --]
...
[TRACE] args [/home/vsts/.shiftleft/jre/bin/java -Xms256m -Xms2g -Xmx6g -jar /home/vsts/.shiftleft/libplugin-latest.jar generate /tmp/shiftleft-638314335/libplugin-state524922089 --]
The libplugin analyze and generate steps should have memory-related settings.
At the end of the log, you can also see memory usage information; in the example below, the analysis used 24 GB RAM:
2020-12-21 15:19:19.793 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 18287 / 22905
2020-12-21 15:19:24.795 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 19912 / 22905
2020-12-21 15:19:29.861 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 2190 / 23290
2020-12-21 15:19:34.864 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 3299 / 23290
2020-12-21 15:19:39.866 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 4307 / 23290
2020-12-21 15:19:44.868 [javascr2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 5508 / 23290
2020-12-21 15:19:49.875 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 6794 / 23290
2020-12-21 15:19:54.877 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 8082 / 23290
2020-12-21 15:19:59.879 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 10082 / 23290
2020-12-21 15:20:04.881 [javasrc2cpg-jvm-monitor] DEBUG Memory used/committed (MB): 11237 / 23290