How to detect apps using Oracle’s JDK 1.8 (and others) at the portfolio level

As you probably already know, Oracle announced a major change of their release and support rules for Java. This article is not meant to explain how that’s going to work now, but long story short you’ll have to either a) update your JDK very fast; b) be exposed to unpatched (and perhaps vulnerable) Java versions that runs your applications; c) implement a free alternative like OpenJDK … or d) pay a LTS. This article will show you how to detect versions of the JDK your applications are using, at the portfolio level, by leveraging CAST Highlight and the Keyword Scan feature.

In the version we released in December 2018, we introduced a very cool improvement to the Keyword Scan feature: the capability to search for patterns in different scopes (in code or comment, in file or folder names or a combination of all that), but also the possibility to define the formula that will verify the occurrence of the pattern you specified. This small feature enhancement offers huge opportunities for quickly and systematically checking interesting patterns in a large code base and aggregating results at the portfolio level. Below are the options available…
The Keyword Scan XML file structure:

  • UserScan – global XML wrapper
    • keywordScan // regroups a series of keywords/patterns, e.g. for Java JDKs, it will create .timestamp.JavaJDKs.csv as the scan output
      • keywordGroup // where you create a pattern (e.g. JDK 1.8) made of one or multiple combined search as follows:
        • keywordItem // String search
        • filenameItem // File search (can be a file name or folder name, wildcards can be used)
        • filenameContentItem // File content search (also takes file/folder names to refine the search scope, wildcards can be used)
        • formula // verification of your pattern (e.g. “(keywordItem_A or filenameItem_B) and filenameContentItem_C” => TRUE

To make this search happen during a code scan, you’ll need to specify the path to your XML file when running the command line or the local agent. See how in this tutorial.

Let’s detect some JDK 1.8!

Having that mechanic in mind, let’s see now how to capture the version 1.8 of the JDK that a Java-based application may use, as specified in Maven’s dependency/build file (pom.xml)…
<UserScan>
  <keywordScan name=”Java Runtime Checks” version=”1.0″>
    <keywordGroup name=”JRE 1.8″ weight=”1″ sensitive=”0″ full_word=”0″>
      <filenameContentItem id=”JRE_18_plugin” filenamePattern=”pom.xml” contentPattern=”&lt;target&gt;1.8&lt;/target&gt;”/>
      <filenameContentItem id=”JRE_18_properties” filenamePattern=”pom.xml” contentPattern=”&lt;maven.compiler.target&gt;1.8&lt;/maven.compiler.target&gt;”/>
      <formula value=”JRE_18_plugin or JRE_18_properties” />
    </keywordGroup>
  </keywordScan>
</UserScan>
Concretely, we’re asking Highlight’s analyzers to verify in POMs if it finds the presence of at least one of the two ways we can use to specify the JDK target version in Maven:

 

  • First way: indicated by “<target>1.8</target>” in Maven’s plugin configuration
  • Second way: indicated by “<maven.compiler.target>1.8</maven.compiler.target>” in the build properties

Note: as the Keyword Scan configuration file is in XML format and we’re searching for XML patterns in POMs, we had to escape the XML tags (e.g. “<tag>” will be “&lt;tag&gt;”

Obviously, you can concatenate this 1.8 detection with previous and future versions in order to detect all of them with a single scan. This way, you’ll get the visibility on the JDK version landscape of your application portfolio.

8498
You’re now all set to go after JDK 1.8 patterns. Don’t hesitate to contact us if you have any question or feedback to improve the Keyword Scan feature!