Java

ShiftLeft products support applications written in Java 7+.

ShiftLeft Inspect for Java

ShiftLeft Inspect's Java code analysis is performed on compiled application bytecode (not source code). As such, you must successfully build your application using a supported build tool before you analyze your application using ShiftLeft Inspect.

Component

Requirement

System

Linux, MacOS X, Windows

Application Type

Java 7 through Java 11. To verify that you are running the supported Java version, use the java -version command.

Build environment

Linux or Mac with Java 8 installed locally and with 16GB of memory available.

Analysis should be performed for each code commit or build of the application. You can automate analysis submissions using your preferred CI/CD system.

After installing the ShiftLeft Command Line Interface (CLI) and authenticating, use the following command to analyze your Java application with ShiftLeft Inspect

sl analyze --app <name> --java [<path>]

where

--app <name> analyze the application of <name>.

--java identity of the application's language.

<path> location of the JAR or WAR file to be analyzed.

Next Steps

Analyze Applications

Identify Branch Names

Fail a Build Based on Analysis Results

ShiftLeft Ocular for Java

You can examine and investigate only compiled application bytecode (not source code) using ShiftLeft Ocular. This means that for Java applications, you must successfully build your application using a supported build tool beforehand.

After installing the ShiftLeft Command Line Interface (CLI), authenticating and starting ShiftLeft Ocular, in order to create CPGs that contain the application code but do not include the code of libraries, ShiftLeft Ocular performs a smart inspection of the input file(s) to determine application code vs dependencies. Before creating the CPG you should identify your application code and dependencies; so that you know which parts of your application will be modelled. You can then decide whether to include specific objects in the CPG.

You create the Code Property Graph (CPG) for your Java application using

ocular> createCpg(<inputPaths>)

where <inputPaths> is the path of the target application; multiple applications are separated by a comma. For Java, the path is the archive (JAR, WAR or EAR file). For example, createCpg("subjects/hello-shiftleft-0.0.1-SNAPSHOT.jar").

For more information, including additional options, refer to the article Creating the CPG.

Next Steps

Generate the Security Profile

Investigate Java Vulnerable Lab

Examine a Java Application for Deserialization Sinks

ShiftLeft Protect for Java

ShiftLeft Protect requires a supported 64-bit Java Runtime Environment (JRE). The Microagent memory footprint is a minimal (~50MB). ShiftLeft Protect must be able to download data from, and push metrics to, the ShiftLeft Proxy server over the specified port. If using a firewall, open a connection to a remote service on the specified TCP port.

Component

Requirement

System

Linux, MacOS X, Windows

JVM

64-bit JRE version 7 or higher. To verify that you are running a supported 64-bit JRE, use the java -version command.

After installing the ShiftLeft Command Line Interface (CLI) and authenticating, use the following command to monitor and protect your Java application with ShiftLeft Protect

sl run --app <name> --java

where

--app <name>. Specifies your application's unique name.

--java identity of the application's language.

Next Steps

Secure Your Applications Using ShiftLeft Protect

Run ShiftLeft Protect

ShiftLeft Protect for Java