Deep Dive

Deep Dive is a static analysis tool for assessing JVM-based deployment units (Ear, War, Jar, APK). Deep Dive has many built-in features which search for code quality and security issues. It is highly customizable which allows the creation of custom rules without writing a single line of code. These rules include search for text within specific files or even searching for specific byte code instructions. Additionally, Deep Dive's reporting features allow you to drill into any deployment unit file with the click of a link. Deep Dive can export these reports to a file system. Deep Dive is a must-have for any web application security professional who is interested in white-box testing. Click here to see Deep Dive's analysis of OWASP's WebGoat project.

  1. This version of Deep Dive has a rich set of features, but is not complete. Features to expect in the near future are:
    • Taint analysis
    • More web frameworks added to the tag analyzer (checks for tags that do not output encode)
  2. This version of Deep Dive is being made available prior to apply a licensing model. The current version has no license, but it will expire in six months from October 19th, 2017. By this time, a new version will replace it (hopefully with a licensing model).

Read the User Guide to find out more.

You can download the Deep Dive here.