Deep Dive

Deep Dive is a static analysis tool for assessing JVM-based deployment units (Ear, War, Jar, APK). Deep Dive has many built-in features which search for code quality and security issues. It is highly customizable which allows the creation of custom rules without writing a single line of code. These rules include search for text within specific files or even searching for specific byte code instructions. Additionally, Deep Dive's reporting features allow you to drill into any deployment unit file with the click of a link. Deep Dive can export these reports to a file system. Deep Dive is a must-have for any web application security professional who is interested in white-box analysis. Browse the following links to see Deep Dive's analysis of OWASP's WebGoat project.

  1. This version of Deep Dive has a rich set of features, but is not complete. Features to expect in the near future are:
    • Taint analysis (This is now a separate tool - see Sink Tank)
    • More web frameworks added to the tag analyzer (checks for tags that do not output encode)

Read the User Guide to find out more.

You can download the Deep Dive version 1.5.11-beta here.

Release Notes

  • Fixed issue in analyzers processing classes with a null class name.
  • Fixed bug in APK processing related to returning null instead of zero-length array.
  • Fixed more bugs related to new dex2jar code integration.
  • Fixed bug in Deep Dive that was causing APK class files to be processed twice.
  • Fixed more bugs in dex2jar source code.
  • Fixed bugs in dex2jar source code.
  • Added APK functionality back in.
  • Fixed application grepper issue with locking files.
  • Removed expiry functionality
  • Handled NullPointerExceptions caused by decompiler.
  • Fixed decompiler preferences inconsistency.
  • Fixed NullPointerExceptions caused by missing files in deployment units (e.g. web.xml in .war, application.xml in ear)
  • Removed expiry date time limits
  • Fixed linking issue with hyperlinked results
  • Supports Java 11
  • Fixed Java version related bugs.
  • Supports Java 9+.
  • Removed support for APK files (may be added back in the future).
  • Fixed bugs in ClassMatcher functionality. Some types where not getting converted to Java language types before comparison (i.e. using java/io/InputStream instead of, causing invalid search results.
  • Fixed bugs in application grepper (1. Now finds multiple results in a line of a text file, 2. Wasn't finding all results when in case-sensitive mode.)
  • Added filtering functionality to allow only specified resources with a deployment unit to be processed.
  • Added decompiler so .class results in reports can now display decompiled source code.
  • Fixed bug in path processing functionality when generating in-memory report (no HTML report to disk).
  • Cosmetic changes.
  • Optimized memory usage.
  • Added more documentation on custom analyzers.
  • Added third-party (custom) analyzer example project to distribution.
  • Fixed byte code grep case sensitivity issue (caused by errors in the fixes for 1.4.4-beta).
  • Fixed bug in Performance Data functionality causing CurrentModificationException.
  • Fixed bug in generating reports for unknown jar (non-JEE issue mentioned in 1.4.4-beta release notes).
  • Fixed case sensitivity issue while searching text files.
  • Fixed non-class file grepping issue, where not all non-class files were processed.
  • Added functionality to process jars found in non-JEE locations (e.g. JEE has no specification for finding a jar within a jar. Deep Dive will now process these inner jars).