fix: resolve ConcurrentModificationException in SecretScanner and enable Phase 8.1 in API mode

Author: wuerror

src/main/java/com/jbytescanner/JByteScanner.java

@@ -125,15 +125,11 @@ public Integer call() throws Exception {
         } else {
             System.out.println("Phase 2 Skipped. Using existing api.txt for project: " + projectName);
         }
-        
-        if (isApiMode) {
-            System.out.println("Mode 'api' finished. Exiting.");
-            return 0;
-        }
 
-        // Phase 2.5: Secret Scanner
-        // Ensure Soot is initialized if Discovery was skipped
-        if (apiFile.exists() && !forceDiscovery) {
+        // Phase 2.5: Secret Scanner (Execute in BOTH api and scan modes)
+        // Ensure Soot is initialized if Discovery was skipped (e.g. in 'scan' mode with existing api.txt)
+        // Note: In 'api' mode, DiscoveryEngine.run() already initializes Soot.
+        if (isScanMode && apiFile.exists() && !forceDiscovery) {
              List<String> combinedLibs = new java.util.ArrayList<>(loadedJars.libJars);
              if (loadedJars.depAppJars != null) combinedLibs.addAll(loadedJars.depAppJars);
              com.jbytescanner.core.SootManager.initSoot(loadedJars.targetAppJars, combinedLibs, false);
@@ -146,6 +142,11 @@ public Integer call() throws Exception {
         secretScanner.writeReport(workspaceDir, findings);
         System.out.println("Secret Scan Complete. Findings: " + findings.size());
 
+        if (isApiMode) {
+            System.out.println("Mode 'api' finished. Exiting.");
+            return 0;
+        }
+        
         System.out.println("------------------------------------------");
 
         // 4. Phase 3: Taint Analysis

src/main/java/com/jbytescanner/secret/SecretScanner.java

@@ -111,10 +111,16 @@ private List<SecretFinding> scanFile(File file) {
     private List<SecretFinding> scanConstantPool() {
         List<SecretFinding> findings = new ArrayList<>();
 
-        for (SootClass sc : Scene.v().getApplicationClasses()) {
+        // Use a snapshot of classes to avoid ConcurrentModificationException if Soot modifies the chain
+        List<SootClass> snapshot = new ArrayList<>(Scene.v().getApplicationClasses());
+
+        for (SootClass sc : snapshot) {
             if (sc.isPhantom()) continue;
 
-            for (SootMethod sm : sc.getMethods()) {
+            // Use a snapshot of methods as well, just in case
+            List<SootMethod> methodSnapshot = new ArrayList<>(sc.getMethods());
+            
+            for (SootMethod sm : methodSnapshot) {
                 if (!sm.hasActiveBody()) {
                     try {
                         sm.retrieveActiveBody();
@@ -123,13 +129,18 @@ private List<SecretFinding> scanConstantPool() {
                     }
                 }
 
-                for (Unit u : sm.getActiveBody().getUnits()) {
-                    for (ValueBox vb : u.getUseBoxes()) {
-                        if (vb.getValue() instanceof StringConstant) {
-                            String value = ((StringConstant) vb.getValue()).value;
-                            checkStringSecret(value, sc.getName() + "." + sm.getName(), findings, u);
+                // Check units safely
+                try {
+                    for (Unit u : sm.getActiveBody().getUnits()) {
+                        for (ValueBox vb : u.getUseBoxes()) {
+                            if (vb.getValue() instanceof StringConstant) {
+                                String value = ((StringConstant) vb.getValue()).value;
+                                checkStringSecret(value, sc.getName() + "." + sm.getName(), findings, u);
+                            }
                         }
                     }
+                } catch (Exception e) {
+                    // Ignore errors during unit iteration (e.g. body modification)
                 }
             }
         }