Can I use Fortify to scan scala-code or the generated java (jar) files ? I know that I can do the jar option technically but are there any known challenges with respect to the generated java code?
问题:
回答1:
Fortify SCA now officially supports Scala (since December 2017).
Adding this support was a collaborative project between Lightbend and Micro Focus.
I did most of the engineering work on the Lightbend side, writing a compiler plugin that translates Scala code to an intermediate form that Fortify understands. Micro Focus added Scala-specific security rules and made any necessary adjustments to the Fortify back end. (They also made sure that existing Java rules also worked for equivalent Scala code, when appropriate.)
See:
- https://www.lightbend.com/blog/developing-secure-scala-applications-with-fortify-for-scala (45 minute webinar)
- http://lightbend.com/fortify (form to ask Lightbend sales for more info)
- https://developer.lightbend.com/docs/fortify/current/ (technical documentation)
Note that Fortify SCA is commercial software and so is the new Scala plugin. To use them, you must
- have a Fortify SCA license (or use Fortify on Demand)
- also be a Lightbend subscriber
回答2:
I saw a response from James Roper (Play) to this question. https://groups.google.com/forum/#!topic/play-framework/MtatDozyDjg
Basically he says that any issues that could be found by a static code analysis tool are a mistake in an API and should be fixed. JAVA cannot do this because of backwards compatibility.
回答3:
I have tested scala code using Fortify SCA engine 3.8, 4.21. The Fortify found no issues. If I recall correctly, I saw a lot of warning during translation stage, so I assume that Fortify does not have native parser for the scala code.