Skip to content

Call sites🔗

A call site is a precise location in the code where a cryptographic method is invoked. For instance, in Java, verifying a digital signature involves serveral actions: creating a Signature object, initializing it, updating it with data, and verifying the signature. Each of these actions corresponds to a specific call site.

Call sites pinpoint where a cryptographic operation occurs in the code, aiding in analysis and ensuring the secure implementation of cryptographic functions within the application.

View Call sites🔗

When call sites are discovered in a scan, details for the call are available in associated reports and instance views.

  • On either the Instances page or in a Report, select the Call sites tab.
  • In application reports, Call sites are also available on the Operations details page.

Tip

Call site details are only available in reports or instances for application traces and scans.

Call site details🔗

The Call site details table lists the call sites in the scanned bytecode. Each row in the table provides details for a single call site, as shown here:

  • Calling method - The class and method where the call site is located. In this example, the class is cryptosense.showcase.AppMain, and the method is multiPurposeKey.
  • Location - The filename and line number where this call site can be found in the source. In this example, the call site is in the AppMain.java file on line 314.

Note

The presence of call site location information in the bytecode varies depending on the options used during code compilation.

  • Called Method - The cryptographic method that was called. In this example, the method is javax.crypto.Cipher.doFinal.
  • Status - The Status field is used for analysis and remediation. For more information, refer to Call site status.

Call site status🔗

The Status column in Call sites details shows test coverage when both a dynamic application tracer and a static bytecode scanner are used. Each sensor provides unique insights:

  • Dynamic Application Tracer: Identifies call sites during program execution, but only for the parts of the program that were exercised in that run.
  • Static Bytecode Scanner: Sees the code at rest and offers no visibility into what happens during execution.
  • Augmented trace: When you combine results from both the dynamic tracer and static scanner in an augmented trace, AQtive Guard reconciles the findings from both methods.

The Status column in Call sites details displays one of three coverage values:

Coverage
Status Dynamic
application trace
Static
bytecode scan
Meaning
Covered The call site was discovered in both the application trace and bytecode scan.
Not covered The call site was discovered in a static byetcode scan, but not covered in the application trace.
Missed The call site was discovered in a dynamic application trace, but missed by the bytecode scan.

Important

Covered status requires analyzing an augmented trace combining both a dynamic trace and a static scan. A status of Not Covered or Missed is expected when a trace or scan is analyzed independently.