Java White-Box Static Code Analysis: Overview, Tool Evaluation, and Selection

Background: source code security detection is a crucial part of the Secure Development Lifecycle (SDL). In 58 Group’s CI/CD pipeline thousands of builds occur daily, requiring automated white-box analysis that fits enterprise workflows.

This first article of the “58 White-Box Scanning Journey” series focuses on the technology selection process for Java static analysis, reviewing both commercial and open-source solutions.

SAST Overview – Static Application Security Testing analyzes source, bytecode, or binaries without executing the program, enabling early detection of coding errors, security flaws, and undefined behavior.

Commercial Products – Coverity, Fortify, and CheckMarx are leading vendors. Their strengths include deep technical foundations and strong support teams, while weaknesses involve limited customization, high licensing costs, and difficulty integrating into CI/CD pipelines.

Examples of practical issues with Coverity: reliance on local compilation environments, delayed MacOS support, and mixed reporting of security and quality defects.

Open-Source Projects – FlowDroid, ErrorProne, Infer, Soot, and PMD are examined.

FlowDroid is an Android-focused taint-analysis framework; usage involves downloading the JAR and invoking it via command line (example below).

java -jar soot-infoflow-cmd-jar-with-dependencies.jar \
 -al 500 -mc 500 -md 500 \
 -a
\
 -p
\
 -s

ErrorProne, developed by Google, plugs into the Java compiler to abort compilation on detected bugs. A typical Maven configuration is shown:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-compiler-plugin</artifactId>
    <version>3.8.0</version>
    <configuration>
        <source>1.8</source>
        <target>1.8</target>
        <encoding>UTF-8</encoding>
        <fork>true</fork>
        <compilerArgs combine.children="append">
            <arg>-XDcompilePolicy=simple</arg>
            <arg>-Xplugin:ErrorProne -Xep:DeadException:WARN -Xep:GuardedBy:OFF</arg>
            <arg>-J‑Xbootclasspath/p:${settings.localRepository}/com/google/errorprone/javac/9+181-r4173-1/javac-9+181-r4173-1.jar</arg>
        </compilerArgs>
        <annotationProcessorPaths>
            <path>
                <groupId>com.google.errorprone</groupId>
                <artifactId>error_prone_core</artifactId>
                <version>2.4.0</version>
            </path>
        </annotationProcessorPaths>
    </configuration>
</plugin>

Infer, from Facebook, supports multiple languages and build systems; a typical clean‑and‑scan command is:

# Clean project
mvn clean && infer -- mvn package

Soot provides several intermediate representations (Baf, Jimple, Shimple, Grimple) for Java bytecode analysis. Example environment variables and analysis commands:

export SOOT_PATH=/path/to/soot/soot-4.2.1-jar-with-dependencies.jar
export SOOT_CLASS_PATH=/path1/jar1.jar:/path2/jar2.jar
java -cp $SOOT_PATH soot.Main -pp -cp .:$JAVA_HOME/jre/lib/rt.jar:$SOOT_CLASS_PATH org.packageName.MainClassName

PMD is a language‑agnostic static analyzer. A sample rule set XML and execution command are provided.

./run.sh pmd -d /path/to/project -R /path/to/ruleset.xml -f text

CodeQL – GitHub’s security lab product that stores AST data in CodeDB and queries it with QL. It offers powerful cross‑file data‑flow analysis but its AST engine is closed source and not permitted for enterprise CI/CD integration.

Selection Conclusion – After evaluating many tools, the team concluded that while CodeQL represents the state‑of‑the‑art open‑source SAST approach, its licensing restrictions prevent direct CI/CD use. Consequently, 58 Group decided to adopt a custom solution based on Spoon (a Java AST parser) combined with proprietary cross‑file analysis, inspired by CodeQL’s design.

Future articles will dive deeper into SAST technical principles and detail the learning process of 58’s security team with CodeQL.