Description

We’ve heard your feedback regarding call flow analysis (CFA), particularly how developers want to prioritize vulnerability remediation and the role that call flow analysis plays in that process. We’re excited to announce our latest CFA enhancements based on that feedback.

Starting with version 152 of the IQ Server, you can enable CFA whenever you use the IQ CLI to evaluate your applications. Once a scan completes, the CLI will automatically apply a “Security-Reachable” label on any component with a vulnerability with reachable code. You can create a policy around this label to aid prioritization and remediation.

While this is still a Lab without official support, we have updated the functionality and integrated it into the product.

Basic Usage

As the Callflow Analysis Lab has moved into the official IQ CLI, the documentation can be found in the main help documentation: Nexus IQ CLI Help.

The relevant options are:

-c, --call-flow-analysis

This switch performs a call flow analysis in Java binaries (or any JVM language) found in the scan targets to find method signatures that trigger a security vulnerability.

-cn, --call-flow-analysis-namespaces

This switch performs a call flow analysis in Java binaries (or any JVM language) found in the scan targets to find method signatures which trigger a security vulnerability, limiting the analysis to the code found under the given namespaces or packages for a faster and more precise result. Multiple packages can be set like this: -cn com.package1 -cn org.package2

Why is Java the only language supported?

The intention of this lab is to understand how program analysis can help you prioritize remediation. Given the nature of static and runtime program analysis, it is difficult, if not impossible, to determine there is no risk in the identified vulnerable component.

Download

Download the IQ CLI here.

Help

For questions or help, reply to this thread. Please do not submit company confidential information.