Deep Dive

Deep Dive is a static analysis tool for assessing JVM-based deployment units (Ear, War, Jar, APK). Deep Dive has many built-in features which search for code quality and security issues. It is highly customizable which allows the creation of custom rules without writing a single line of code. These rules include search for text within specific files or even searching for specific byte code instructions. Additionally, Deep Dive's reporting features allow you to drill into any deployment unit file with the click of a link. Deep Dive can export these reports to a file system. Deep Dive is a must-have for any web application security professional who is interested in white-box analysis. Browse the following links to see Deep Dive's analysis of OWASP's WebGoat project.

Notes
  1. This version of Deep Dive has a rich set of features, but is not complete. Features to expect in the near future are:
    • Taint analysis
    • More web frameworks added to the tag analyzer (checks for tags that do not output encode)

Read the User Guide to find out more.

You can download the Deep Dive version 1.4.6-beta here.

Release Notes

1.4.6-beta
  • Optimized memory usage.
1.4.5-beta
  • Added more documentation on custom analyzers.
  • Added third-party (custom) analyzer example project to distribution.
  • Fixed byte code grep case sensitivity issue (caused by errors in the fixes for 1.4.4-beta).
  • Fixed bug in Performance Data functionality causing CurrentModificationException.
  • Fixed bug in generating reports for unknown jar (non-JEE issue mentioned in 1.4.4-beta release notes).
1.4.4-beta
  • Fixed case sensitivity issue while searching text files.
  • Fixed non-class file grepping issue, where not all non-class files were processed.
  • Added functionality to process jars found in non-JEE locations (e.g. JEE has no specification for finding a jar within a jar. Deep Dive will now process these inner jars).