From eb8326fdf3a3aefb410dc8727b43b98e925323b4 Mon Sep 17 00:00:00 2001 From: Francisco Sokol Date: Wed, 3 Jul 2019 10:36:43 +0200 Subject: [PATCH] Add support of java-sec-bugs and java-owasp to scala projects Since find-sec-bugs actually supports scala jars, all it had to be done was enhacing the filter in the existing findsecbugs module. OWASP's dependency-check case is a bit different, it is able to scan zip files built by [sbt native packager](https://www.scala-sbt.org/sbt-native-packager/) but it can't find dependencies shipped in uber jars built with [sbt-assembly](https://github.com/sbt/sbt-assembly). An demo showing how to use it is available at https://github.com/csokol/scala-hawkeyesec-scanner-demo Partially addresses #75. --- .../java-find-secbugs/__tests__/findsecbugs-unit.js | 5 +++++ .../__tests__/sample/scala-sbt/build.sbt | 0 .../__tests__/sample/scala-sbt/src/main/scala/Main.scala | 0 .../__tests__/sample/scala-sbt/target/scala-2.13/app.jar | 0 lib/modules/java-find-secbugs/index.js | 9 ++++++--- lib/modules/java-owasp/__tests__/owasp-unit.js | 5 +++++ .../java-owasp/__tests__/sample/scala-sbt/build.sbt | 0 .../__tests__/sample/scala-sbt/src/main/scala/Main.scala | 0 .../__tests__/sample/scala-sbt/target/scala-2.13/app.jar | 0 lib/modules/java-owasp/index.js | 9 ++++++--- 10 files changed, 22 insertions(+), 6 deletions(-) create mode 100644 lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/build.sbt create mode 100644 lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/src/main/scala/Main.scala create mode 100644 lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/target/scala-2.13/app.jar create mode 100644 lib/modules/java-owasp/__tests__/sample/scala-sbt/build.sbt create mode 100644 lib/modules/java-owasp/__tests__/sample/scala-sbt/src/main/scala/Main.scala create mode 100644 lib/modules/java-owasp/__tests__/sample/scala-sbt/target/scala-2.13/app.jar diff --git a/lib/modules/java-find-secbugs/__tests__/findsecbugs-unit.js b/lib/modules/java-find-secbugs/__tests__/findsecbugs-unit.js index 9a01afb5..538057c4 100644 --- a/lib/modules/java-find-secbugs/__tests__/findsecbugs-unit.js +++ b/lib/modules/java-find-secbugs/__tests__/findsecbugs-unit.js @@ -44,6 +44,11 @@ describe('FindSecBugs Module', () => { expect(await handles(fm)).to.be.true }) + it('should handle scala sbt projects', async () => { + const fm = new FileManager({ target: path.join(__dirname, './sample/scala-sbt') }) + expect(await handles(fm)).to.be.true + }) + it('should not run on missing executable', async () => { exec.exists.withArgs('findsecbugs').resolves(false) const target = path.join(__dirname, './sample/java-gradle') diff --git a/lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/build.sbt b/lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/build.sbt new file mode 100644 index 00000000..e69de29b diff --git a/lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/src/main/scala/Main.scala b/lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/src/main/scala/Main.scala new file mode 100644 index 00000000..e69de29b diff --git a/lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/target/scala-2.13/app.jar b/lib/modules/java-find-secbugs/__tests__/sample/scala-sbt/target/scala-2.13/app.jar new file mode 100644 index 00000000..e69de29b diff --git a/lib/modules/java-find-secbugs/index.js b/lib/modules/java-find-secbugs/index.js index ceb089cb..6e480acd 100644 --- a/lib/modules/java-find-secbugs/index.js +++ b/lib/modules/java-find-secbugs/index.js @@ -16,9 +16,12 @@ module.exports = { description: 'Finds common security issues in Java code with findsecbugs', enabled: true, handles: async fm => { - const isJavaProject = fm.all().some(file => file.endsWith('.java')) - const isKotlinProject = fm.all().some(file => file.endsWith('.kt')) - const isJvmProject = isJavaProject || isKotlinProject + const allFiles = fm.all() + const isJavaProject = allFiles.some(file => file.endsWith('.java')) + const isKotlinProject = allFiles.some(file => file.endsWith('.kt')) + const isScalaProject = allFiles.some(file => file.endsWith('.scala')) + + const isJvmProject = isJavaProject || isKotlinProject || isScalaProject const hasJarFiles = getProjectJars(fm).length > 0 const exists = await exec.exists('findsecbugs') diff --git a/lib/modules/java-owasp/__tests__/owasp-unit.js b/lib/modules/java-owasp/__tests__/owasp-unit.js index ed01626d..0d12eb40 100644 --- a/lib/modules/java-owasp/__tests__/owasp-unit.js +++ b/lib/modules/java-owasp/__tests__/owasp-unit.js @@ -38,6 +38,11 @@ describe('Java OWASP Dependency Checker Module', () => { expect(await handles(fm)).to.be.true }) + it('should handle scala sbt projects', async () => { + const fm = new FileManager({ target: path.join(__dirname, './sample/scala-sbt') }) + expect(await handles(fm)).to.be.true + }) + it('should not run on missing executable', async () => { exec.exists.resolves(false) const fm = new FileManager({ target: path.join(__dirname, './sample/java-gradle') }) diff --git a/lib/modules/java-owasp/__tests__/sample/scala-sbt/build.sbt b/lib/modules/java-owasp/__tests__/sample/scala-sbt/build.sbt new file mode 100644 index 00000000..e69de29b diff --git a/lib/modules/java-owasp/__tests__/sample/scala-sbt/src/main/scala/Main.scala b/lib/modules/java-owasp/__tests__/sample/scala-sbt/src/main/scala/Main.scala new file mode 100644 index 00000000..e69de29b diff --git a/lib/modules/java-owasp/__tests__/sample/scala-sbt/target/scala-2.13/app.jar b/lib/modules/java-owasp/__tests__/sample/scala-sbt/target/scala-2.13/app.jar new file mode 100644 index 00000000..e69de29b diff --git a/lib/modules/java-owasp/index.js b/lib/modules/java-owasp/index.js index b8393152..b580ea31 100644 --- a/lib/modules/java-owasp/index.js +++ b/lib/modules/java-owasp/index.js @@ -13,9 +13,12 @@ module.exports = { description: 'Scans Java projects for gradle/maven dependencies with known vulnerabilities with the OWASP dependency checker', enabled: true, handles: async fm => { - const isJavaProject = fm.all().some(file => file.endsWith('.java')) - const isKotlinProject = fm.all().some(file => file.endsWith('.kt')) - const isJvmProject = isJavaProject || isKotlinProject + const allFiles = fm.all() + const isJavaProject = allFiles.some(file => file.endsWith('.java')) + const isKotlinProject = allFiles.some(file => file.endsWith('.kt')) + const isScalaProject = allFiles.some(file => file.endsWith('.scala')) + + const isJvmProject = isJavaProject || isKotlinProject || isScalaProject const hasJarFiles = getProjectJars(fm).length > 0 const hasCommand = await exec.exists('dependency-check')