Java — Supported format
Java is supported as a first-class format. Rules cover the common enterprise weakness classes mapped to CWE.
What it is
Static rules tuned for Java idioms.
Why it's useful
Catches SQLi via JDBC concatenation, unsafe deserialisation (ObjectInputStream), hardcoded creds.
How Decoder implements it
Pattern + AST-lite analysis, plus pom.xml / build.gradle dependency parsing.
When to use it
Enterprise codebases, Spring services, Android backends.
When NOT to use it
Bytecode-level analysis — bring a dedicated tool.
Practical example
String SQL concat in a JDBC PreparedStatement misuse is flagged CWE-89.
FAQ
Glossary
- JDBC
- Java Database Connectivity — common SQLi vector when misused.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.
Most code in any modern project isn't yours. Decoder reads manifests and lockfiles to map the dependency surface and flag suspicious entries.