Can I use Fortify to scan scala-code or the generated java (jar) files ? I know that I can do the jar option technically but are there any known challenges with respect to the generated java code?

Fortify SCA now officially supports Scala (since December 2017).

Adding this support was a collaborative project between Lightbend and Micro Focus.

I did most of the engineering work on the Lightbend side, writing a compiler plugin that translates Scala code to an intermediate form that Fortify understands. Micro Focus added Scala-specific security rules and made any necessary adjustments to the Fortify back end. (They also made sure that existing Java rules also worked for equivalent Scala code, when appropriate.)

See:

• https://www.lightbend.com/blog/developing-secure-scala-applications-with-fortify-for-scala (45 minute webinar)
• http://lightbend.com/fortify (form to ask Lightbend sales for more info)
• https://developer.lightbend.com/docs/fortify/current/ (technical documentation)

Note that Fortify SCA is commercial software and so is the new Scala plugin. To use them, you must

• have a Fortify SCA license (or use Fortify on Demand)
• also be a Lightbend subscriber

I saw a response from James Roper (Play) to this question. https://groups.google.com/forum/#!topic/play-framework/MtatDozyDjg

Basically he says that any issues that could be found by a static code analysis tool are a mistake in an API and should be fixed. JAVA cannot do this because of backwards compatibility.

I have tested scala code using Fortify SCA engine 3.8, 4.21. The Fortify found no issues. If I recall correctly, I saw a lot of warning during translation stage, so I assume that Fortify does not have native parser for the scala code.