Deep Dive

Deep Dive is a static analysis tool for assessing JVM-based deployment units (Ear, War, Jar, APK). Deep Dive has many built-in features which search for code quality and security issues. It is highly customizable which allows the creation of custom rules without writing a single line of code. These rules include search for text within specific files or even searching for specific byte code instructions. Additionally, Deep Dive's reporting features allow you to drill into any deployment unit file with the click of a link. Deep Dive can export these reports to a file system. Deep Dive is a must-have for any web application security professional who is interested in white-box testing. Click here to see Deep Dive's analysis of OWASP's WebGoat project.

  1. This version of Deep Dive has a rich set of features, but is not complete. Features to expect in the near future are:
    • Taint analysis
    • More web frameworks added to the tag analyzer (checks for tags that do not output encode)
  2. The current version of Deep Dive is being made available prior to apply a licensing model. Until a model is established each version has no license, (which means you may use it as you like) but will expire six months from the date of release.

Read the User Guide to find out more.

You can download the Deep Dive here.