Scala Support

[felixhammerl]

As a Scala user I want linting and dependencies checked by Hawkeye So that I can include it in my for that toolchain.

Description

There is an sbt plugin for the OWASP deps checker that would cover scanning Scala projects for outdated and vulnerable dependencies.

Acceptance Criteria

• sbt projects are coveres by the dependency check.
• scalastyle for linting scala projects
• find-sec-bugs for sbt to discover security issues

Unresolved Questions

• [ ] How well does findbugs and findsecbugs play with sbt?
• [ ] Is there a better FLOSS SAST tool than findbugs?

[csokol]

About:

• find-sec-bugs for sbt to discover security issues

It seems like find-sec-bugs cli tool analyses the .class binaries from the jar itself, so it should be fully compatible with a jar built by sbt. I've tried to run the cli with a jar built by sbt and it seems like it worked fine. So just enhancing the filtering criteria in the handles function of the java-find-secbugs module should do the trick. I'm opening a PR enhancing that soon.

Now, regarding owasp dependency check cli tool, it seems like it won't be so easy to make that work. The way I've built sbt projects in the past was using assembly plugin. This plugin doesn't ship versioning information inside the jar like gradle. Gradle (and I think maven too) puts pom.xml files inside the META-INF directory of the jar file. These files are then used by dependency-check to find out which library versions are being used which makes it easy to run dependency-check with the compiled jar. None of that would be possible with a jar compiled by sbt with the assembly plugin.

[csokol]

Do you think that integrating a scalastyle tool is really needed? To me it looks a little bit out of scope of the project as it's not related to infosec (the same way there is no js or java linter at the scanner at the moment).