QCecuring - Enterprise Security Solutions

Java Cryptographic Scanning

CBOM

Scan Java codebases for cryptographic usage — detect JCA/JCE algorithms, Bouncy Castle operations, and deprecated crypto across your Java applications.

View docs

Overview

QCecuring’s CBOM scanner analyzes Java source code to discover all cryptographic operations — from the standard JCA/JCE framework to third-party libraries like Bouncy Castle, Google Tink, and Apache Shiro. The scanner identifies algorithm strings, key sizes, cipher transformations, and deprecated patterns across your Java application portfolio.

Key capabilities

  • Detect Cipher.getInstance(), KeyGenerator.getInstance(), MessageDigest.getInstance() calls and extract algorithm strings.
  • Scan KeyPairGenerator usage for RSA, EC, DSA key generation with key size parameters.
  • Identify SSLContext and SSLSocketFactory configurations for TLS versions and cipher suites.
  • Analyze Bouncy Castle API usage for low-level crypto operations and algorithm selection.
  • Detect deprecated algorithms: DES, 3DES, RC4, MD5, SHA-1 in signature contexts.
  • Scan pom.xml, build.gradle, and build.gradle.kts for crypto library dependencies and versions.
  • Identify Java KeyStore (JKS, PKCS#12) operations and certificate handling patterns.

Typical use cases

  • Enterprise teams auditing large Java codebases for cryptographic compliance before PQC migration.
  • Security teams scanning Spring Boot, Jakarta EE, and Android applications for weak crypto.
  • Compliance programs requiring inventory of all JCA/JCE algorithm usage across Java services.
  • Organizations migrating from legacy Java crypto (DES, 3DES) to modern algorithms.

Detected patterns

FrameworkWhat’s Scanned
JCA/JCECipher.getInstance("AES/GCM/NoPadding"), KeyGenerator.getInstance("AES"), MessageDigest.getInstance("SHA-256")
KeyPairGeneratorRSA, EC, DSA key generation with key size parameters
SSLContextTLS protocol versions, enabled cipher suites, trust manager configuration
Bouncy CastleLow-level crypto operations, algorithm selection, provider registration
Google TinkKey template selection, AEAD, MAC, signature configurations
KeyStoreJKS/PKCS#12 operations, certificate loading, key entry management
SignatureSigning algorithm selection (SHA256withRSA, SHA384withECDSA, etc.)
SecureRandomRandom number generator algorithm and provider selection

High-level integration flow

  1. QCecuring scans Java repositories via Git integration or local filesystem access.
  2. AST-based analysis identifies JCA/JCE API calls, algorithm strings, and crypto configurations.
  3. Build files (Maven, Gradle) are parsed for crypto library dependencies and versions.
  4. Discovered crypto usage is normalized into CycloneDX CBOM format with full algorithm details.
  5. Results feed into the centralized CBOM inventory with PQC readiness scoring per finding.

Need help integrating QCecuring with Java Cryptographic Scanning?

Talk to an Engineer ← All Integrations

Ready to Secure Your Enterprise?

Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.

Request a Demo Talk to Sales

Stay ahead on cryptography & PKI

Get monthly insights on certificate management, post-quantum readiness, and enterprise security. No spam.

We respect your privacy. Unsubscribe anytime.