ScanSuite
  • Introduction
  • Architecture
  • Installation
    • Technical Requirements
    • Install ScanSuite server
    • Set up DefectDojo
    • Troubleshooting
    • SSL/TLS Setup
  • Administration
    • Setup parameters and services
    • Configuring API keys for external systems
    • User administration
    • Security logs
  • Usage
    • Products
    • Performing a static code analysis
      • Git repository authentication
      • Scheduling Periodic and Incremental Scans
      • (Optional) Compiling the code
      • Executing the OpenAI scan
    • Managing scan execution
    • Working with scan results
      • Checking for exploitable vulnerabilities
      • Export to Securitm
      • (Optional) Parsing CSV exports
    • Performing dynamic web scanning
      • Authenticated scans
      • API scans
    • Running infrastructure tests
    • Scheduling the scan
    • Creating own scanning rules
  • Versions History
    • v 1.0
    • v 1.1
    • v 1.2
Powered by GitBook
On this page
  1. Usage
  2. Performing a static code analysis

(Optional) Compiling the code

PreviousScheduling Periodic and Incremental ScansNextExecuting the OpenAI scan

Last updated 1 year ago

Some Java and C#/.NET scanners, such as CodeQL, FindSecBugs, Security Code Scan etc. need to “instrument” the code (process similar to compilation) before analyzing it. This might be challenging as the source code should be complete and accurate, dependencies should be available offline, or it should be possible to download them either from internal artifactory or from the Internet.

Please consult the developers or your teammates for possible ways of obtaining compileable version of the code as the scanning results may be worth this extra mile.

Here we will look at the case where Maven is used to build Java projects.

This build system, along with Gradle, Ant and a few more are supported by the SAST scanners, such as CodeQL and FindSecurityBugs, which will attempt to download the dependencies from locations, mentioned in pom.xml and compile the code for further analysis.

This works well if the dependency repository is reachable by the scanner and does not require authentication to download modules, for example via the Internet.

If this is not the case, one can download dependencies beforehand and pass the cached modules along with the source code. Manually caching Maven dependencies is possible with the following command, executed from the source code folder:

./mvnw dependency:go-offline

Dependencies will be downloaded by Maven compiler and stored in ~/.m2 folder:

Both folders contain downloaded modules which could be provided to the offline ScanSuite installation. Copy them to the dependency folder of the source code and upload the code ZIP archive via web interface as usual: