Skip to content

Java Bytecode Scanner Changelog

This is the list of version numbers of the AQtive Guard Java Bytecode Scanner (formerly Java Static Scanner). Each version number is shown with a list of changes brought by that version.

2.1.4 - 2025-04-17

  • The scanner now successfully scans Java class files that previously triggered a BadClass error.
  • Added support for Java bytecode up to JDK 25 (class file version 69).

2.1.3 - 2025-03-28

  • Add support for Java bytecode up to JDK 24 (class file version 68).

2.1.2 - 2024-05-07

  • Add support for Java bytecode up to JDK 23 (class file version 67).

2.1.1 - 2024-03-06

  • Update Gson library to 2.10.1.
  • Improve a log message about the use of an existing trace file.

2.1.0 - 2022-07-07

  • Add --continue-on-parsing-error that logs class parsing errors and continues rather than exiting. This will become the default in a future release. Until then, the default is still to exit on such errors.

2.0.1 - 2022-06-14

  • Replaced confusing log message “Scanning stopped after N at ” with “Scanning stopped at depth N”.

2.0.0 - 2021-10-04

  • JSON output format version 2.0.
  • Remove all coverage and risk calculations. These are now done by the analyzer.
  • Remove command-line arguments --show-missing-sites and --show-calls.
  • Deprecate command-line argument --num-passes; use --max-depth instead.

1.9.0 - 2021-09-03

  • Handle inheritance by attaching a list of potential runtime classes to each call site target.

1.8.1 - 2021-08-24

  • Fix broken CI blocking release, no functional changes.

1.8.0 - 2021-08-24

  • JSON output format version 1.1.
  • Add signature of calling method to call site locations.
  • Add --quiet option for programmatic use.
  • Add multiple scanning passes for finding indirect call sites, controlled by new command-line argument --num-passes.
  • Update dependencies.

1.7.0 - 2019-12-18

  • Fix placeholder line number: Use -1 instead of 0 for consistency with the tracer.
  • Update list of ignored methods and synchronise with tracer and analyzer.
  • Add detection and reporting of possible hard-coded keys, passwords, salts and IVs found in bytecode.

1.6.0 - 2019-04-01

  • Add JSON output option with initial version 1.0.
  • Ignore getInstance() calls for KeyGenerator and KeyPairGenerator.
  • Skip over calls to inner class methods with the same name when searching a stack trace for caller location.
  • Drop support for Java 7.
  • Update ASM to 7.1 and make it compatible with newer Java class files.

1.5.0 - 2018-12-26

  • Look for .class files in WARs in addition to JARs.

1.4.0 - 2018-10-22

  • Add compatibility with Java 10.
  • Stop parsing a trace on end-of-stream stream error instead of crashing.

1.3.0 - 2018-10-05

  • Ignore getInstance() call sites.