Skip to content
/ java-bytecode-auditor Public

java-bytecode-auditor — static scanner for .class/.jar. Detects Runtime.exec/ProcessBuilder, URLClassLoader, unsafe deserialization (ObjectInputStream/XMLDecoder), and weak TLS (X509TrustManager/HostnameVerifier). Outputs SARIF 2.1.0 and CycloneDX SBOM for CI.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Wythwool/java-bytecode-auditor

BranchesTags

Repository files navigation

java-bytecode-auditor — JAR/.class security scanner (SARIF + SBOM)

Scans Java bytecode for risky stuff: Runtime.exec, ProcessBuilder, URLClassLoader, unsafe deserialization, and weak TLS patterns. Outputs SARIF v2.1.0 and a lightweight CycloneDX SBOM.

Build

./gradlew build    # or: gradle build

Run

# scan a jar and write sarif + sbom
java -jar build/libs/java-bytecode-auditor-all.jar scan target.jar --json out.sarif --sbom sbom.json --fail-on HIGH

# scan a directory (recursively)
java -jar build/libs/java-bytecode-auditor-all.jar scan path/to/classes --recursive

The tool is read‑only; it does static bytecode inspection with ASM. Minimal, fast, CI‑friendly.

About

java-bytecode-auditor — static scanner for .class/.jar. Detects Runtime.exec/ProcessBuilder, URLClassLoader, unsafe deserialization (ObjectInputStream/XMLDecoder), and weak TLS (X509TrustManager/HostnameVerifier). Outputs SARIF 2.1.0 and CycloneDX SBOM for CI.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages