Deep Dive

Deep Dive is a static analysis tool for assessing JVM-based deployment units (Ear, War, Jar, APK). Deep Dive has many built-in features which search for code quality and security issues. It is highly customizable which allows the creation of custom rules without writing a single line of code. These rules include search for text within specific files or even searching for specific byte code instructions. Additionally, Deep Dive's reporting features allow you to drill into any deployment unit file with the click of a link. Deep Dive can export these reports to a file system. Deep Dive is a must-have for any web application security professional who is interested in white-box analysis. Browse the following links to see Deep Dive's analysis of OWASP's WebGoat project.

Notes
  1. This version of Deep Dive has a rich set of features, but is not complete. Features to expect in the near future are:
    • Taint analysis
    • More web frameworks added to the tag analyzer (checks for tags that do not output encode)

Read the User Guide to find out more.

You can download the Deep Dive version 1.5.0-beta here.

Release Notes

1.5.0-beta
  • Supports Java 9+.
  • Removed support for APK files (may be added back in the future).
1.4.12-beta
  • Fixed bugs in ClassMatcher functionality. Some types where not getting converted to Java language types before comparison (i.e. using java/io/InputStream instead of java.io.InputStream), causing invalid search results.
1.4.11-beta
  • Fixed bugs in application grepper (1. Now finds multiple results in a line of a text file, 2. Wasn't finding all results when in case-sensitive mode.)
1.4.10-beta
  • Added filtering functionality to allow only specified resources with a deployment unit to be processed.
1.4.9-beta
  • Added decompiler so .class results in reports can now display decompiled source code.
1.4.8-beta
  • Fixed bug in path processing functionality when generating in-memory report (no HTML report to disk).
1.4.7-beta
  • Cosmetic changes.
1.4.6-beta
  • Optimized memory usage.
1.4.5-beta
  • Added more documentation on custom analyzers.
  • Added third-party (custom) analyzer example project to distribution.
  • Fixed byte code grep case sensitivity issue (caused by errors in the fixes for 1.4.4-beta).
  • Fixed bug in Performance Data functionality causing CurrentModificationException.
  • Fixed bug in generating reports for unknown jar (non-JEE issue mentioned in 1.4.4-beta release notes).
1.4.4-beta
  • Fixed case sensitivity issue while searching text files.
  • Fixed non-class file grepping issue, where not all non-class files were processed.
  • Added functionality to process jars found in non-JEE locations (e.g. JEE has no specification for finding a jar within a jar. Deep Dive will now process these inner jars).