Skip to content
This repository has been archived by the owner on Jun 9, 2022. It is now read-only.

Scala Support #75

Open
2 tasks
felixhammerl opened this issue Sep 28, 2018 · 2 comments
Open
2 tasks

Scala Support #75

felixhammerl opened this issue Sep 28, 2018 · 2 comments
Labels
enhancement Feature requests. help wanted The maintainers would appreciate help from the community in resolving these issues.

Comments

@felixhammerl
Copy link
Collaborator

As a Scala user
I want linting and dependencies checked by Hawkeye
So that I can include it in my for that toolchain.

Description

There is an sbt plugin for the OWASP deps checker that would cover scanning Scala projects for outdated and vulnerable dependencies.

Acceptance Criteria

  • sbt projects are coveres by the dependency check.
  • scalastyle for linting scala projects
  • find-sec-bugs for sbt to discover security issues

Unresolved Questions

  • How well does findbugs and findsecbugs play with sbt?
  • Is there a better FLOSS SAST tool than findbugs?
@felixhammerl felixhammerl added enhancement Feature requests. help wanted The maintainers would appreciate help from the community in resolving these issues. labels Oct 19, 2018
@csokol
Copy link

csokol commented Jul 2, 2019

About:

  • find-sec-bugs for sbt to discover security issues

It seems like find-sec-bugs cli tool analyses the .class binaries from the jar itself, so it should be fully compatible with a jar built by sbt. I've tried to run the cli with a jar built by sbt and it seems like it worked fine. So just enhancing the filtering criteria in the handles function of the java-find-secbugs module should do the trick. I'm opening a PR enhancing that soon.

Now, regarding owasp dependency check cli tool, it seems like it won't be so easy to make that work. The way I've built sbt projects in the past was using assembly plugin. This plugin doesn't ship versioning information inside the jar like gradle. Gradle (and I think maven too) puts pom.xml files inside the META-INF directory of the jar file. These files are then used by dependency-check to find out which library versions are being used which makes it easy to run dependency-check with the compiled jar. None of that would be possible with a jar compiled by sbt with the assembly plugin.

csokol pushed a commit to csokol/scanner-cli that referenced this issue Jul 3, 2019
Add support of java-sec-bugs to scala projects
65e6a5f 
Since find-sec-bugs actually supports scala jars, all it had to be done
was enhacing the filter in the existing findsecbugs module.

Partially addresses hawkeyesec#75.
@csokol csokol mentioned this issue Jul 3, 2019
Merged
14 tasks
csokol pushed a commit to csokol/scanner-cli that referenced this issue Jul 4, 2019
Add support of java-sec-bugs and java-owasp to scala projects
1640678 
Since find-sec-bugs actually supports scala jars, all it had to be done
was enhacing the filter in the existing findsecbugs module.

OWASP's dependency-check case is a bit different, it is able to scan zip
files built by [sbt native packager](https://www.scala-sbt.org/sbt-native-packager/)
but it can't find dependencies shipped in uber jars built with
[sbt-assembly](https://github.com/sbt/sbt-assembly). An demo showing how
to use it is available at https://github.com/csokol/scala-hawkeyesec-scanner-demo

Partially addresses hawkeyesec#75.
felixhammerl pushed a commit that referenced this issue Jul 4, 2019
@felixhammerl
Add support of java-sec-bugs and java-owasp to scala projects
eb8326f 
Since find-sec-bugs actually supports scala jars, all it had to be done
was enhacing the filter in the existing findsecbugs module.

OWASP's dependency-check case is a bit different, it is able to scan zip
files built by [sbt native packager](https://www.scala-sbt.org/sbt-native-packager/)
but it can't find dependencies shipped in uber jars built with
[sbt-assembly](https://github.com/sbt/sbt-assembly). An demo showing how
to use it is available at https://github.com/csokol/scala-hawkeyesec-scanner-demo

Partially addresses #75.
@csokol
Copy link

csokol commented Jul 9, 2019

Do you think that integrating a scalastyle tool is really needed? To me it looks a little bit out of scope of the project as it's not related to infosec (the same way there is no js or java linter at the scanner at the moment).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Feature requests. help wanted The maintainers would appreciate help from the community in resolving these issues.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@csokol @felixhammerl