> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Java support

<Tip>
  **TIP**

  Semgrep's Java coverage leverages framework-specific analysis capabilities that are not present in Semgrep Community Edition (CE). As a result, many framework specific Pro rules will **fail** to return findings if run on Semgrep CE. To ensure full security coverage, run: `semgrep login && semgrep ci`.
</Tip>

## Semgrep Code analyses

* [Language-specific analysis](/semgrep-code/java)
* Interfile analysis (cross-file)
* Interprocedural analysis (cross-function)
* All analyses performed by [Semgrep Community Edition (CE)](#java-support-in-semgrep-ce)

## Coverage

Semgrep aims to provide comprehensive and accurate detection of common OWASP Top 10 issues in source code. Semgrep uses **rules**, which are instructions based on which it detects patterns in code. These rules are usually organized in rulesets.

By default, Semgrep Code provides you with the [ `p/comment`](https://semgrep.dev/p/comment) and [ `p/default`](https://semgrep.dev/p/default) rulesets. These rulesets provide the most accurate and comprehensive coverage across Semgrep's supported languages.

Some examples of rules include:

* [CWE-327: Use of a broken or risky cryptographic algorithm. Don't use the `none` algorithm](https://semgrep.dev/playground/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg?editorMode=advanced)
* [CWE-78: OS command injection. Sanitize your variables before using them as input to a `java.lang.Runtime` call](https://semgrep.dev/playground/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call?editorMode=advanced)

## Java support in Semgrep Supply Chain

Semgrep Supply Chain is a software composition analysis (SCA) tool that detects security vulnerabilities in your codebase introduced by open source dependencies.

### Supported package managers

Semgrep supports the following Java package managers:

* Gradle
* Maven

### Analyses and features

The following analyses and features are available for Java:

|                       |                                                                                                                                                                                                                                                                                                              |
| :-------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Reachability analysis | Reachability refers to whether or not a vulnerable code pattern from a dependency is used in the codebase that imports it. In Semgrep Supply Chain, both a dependency's vulnerable version and code pattern must match for a vulnerability to be considered reachable.                                       |
| License detection     | Semgrep Supply Chain's **license compliance** feature enables you to explicitly allow or disallow (block) a package's use in your repository based on its license. For example, your company policy may disallow the use of packages with the Creative Commons Attribution-NonCommercial (CC-BY-NC) license. |
| SBOM generation       | Semgrep enables you to generate a software bill of materials (SBOM) to assess your third-party dependencies and comply with auditing procedures. Semgrep Supply Chain (SSC) can generate an SBOM for each repository you have added to Semgrep AppSec Platform.                                              |

<Tip>
  **NO NEED FOR LOCKFILES**

  Java projects can be scanned **without** the need for lockfiles. See [Dynamic Dependency Resolution (beta)](/semgrep-supply-chain/set-up-and-configure#dynamic-dependency-resolution-beta).
</Tip>

## Java support in Semgrep CE

Semgrep CE is a fast, lightweight program analysis tool that can help you detect bugs in your code. It makes use of Semgrep's LGPL 2.1 open source engine.

### Analyses

* Single-file, cross-function constant propagation
* Single-function taint analysis
* Semantic analysis

### Coverage

<Tip>
  **TIP**

  * Check the `license` of a rule to ensure it meets your licensing requirements. See [Licensing](/licensing) for more details.
</Tip>

The Semgrep Registry provides the following Java rulesets:

* [`p/default`](https://semgrep.dev/p/default)
* [`p/java`](https://semgrep.dev/p/java)
* [`p/findsecbugs`](https://semgrep.dev/p/findsecbugs)

Sample usage:

```bash theme={null}
semgrep scan --config p/java
```
