1

Codacy Product Showcase: April 2024

Group 370
2

Codacy Security Adds Thousands of New SAST Rules With Semgrep Integration

Group 370
3
In this article:
Subscribe to our blog:

Read about 3 new Scala code patterns we just added to our platform in our mission Codacy to support multiple coding languages effectively.

1. Avoid using DateTime.now without a timezone (Error Prone)

Using DateTime.now without specifying a timezone can lead to error prone code with regard to dealing with other timezones than those initially considered, as well as with daylight saving time.

For instance, the following example:

val now = DateTime.now

could easily be written as:

val now = DateTime.now(DateTimeZone.UTC)

2. Prefer using .nonEmpty (Code Style)

The collections libraries usually provide a method for determining if the iterable has, at least, one element, with:

val hasElements = SomeSequence.nonEmpty

This is a bit cleaner than verifying explicitly the length or the size:

val hasElements = SomeSequence.length > 0
 val hasElementsUsingSize = SomeSequence.size > 0

3. Prevent XML parsing attacks (Security)

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source.

Vulnerable Code:

SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
 parser.parse(inputStream, customHandler);

Solution using “Secure processing” mode:

SAXParserFactory spf = SAXParserFactory.newInstance();
 spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 SAXParser parser = spf.newSAXParser();
 parser.parse(inputStream, customHandler);

Solution disabling DTD:

SAXParserFactory spf = SAXParserFactory.newInstance();
 spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 SAXParser parser = spf.newSAXParser();
 parser.parse(inputStream, customHandler);

Enabling patterns with Codacy

When new patterns are added, they’re disabled for already existing projects.

To enable them for a project first head to the project and hit “Code Patterns” on the top right corner. You’ll be able to filter the patterns by language or category:

selecting language for patterns

To enable the new patterns simply look for the “New” tag on them and hit their respective checkbox:

enabling patterns

If you’re interested, there’s also a “Fork pattern” button on the bottom right corner of the details of every Scala pattern.

fork pattern

Hitting this button will take you to our Beta Pattern Creator with the current pattern loaded; you can then edit it to create your own:

pattern creator - beta

Have fun, code well!


Edit: We just published an ebook: “The Ultimate Guide to Code Review” based on a survey of 680+ developers. Enjoy!


About Codacy

Codacy is used by thousands of developers to analyze billions of lines of code every day!

Getting started is easy – and free! Just use your  GitHub, Bitbucket or Google account to sign up.

GET STARTED

RELATED
BLOG POSTS

8 more Scala security issues you should know about
We recently published a list of 9 Scala security issues every Scala developer should be aware of. Here’s a list of 8 more:
Codacy Architecture: Strongly Typed Actors
We glimpse at Codacy architecture structure in this blog from Code Reading Wednesdays at Codacy (http://www.codacy.com). The event helps code reviews...
Secure Code Review Using Codacy
When you first sign up for Codacy we ask for numerous permissions, yet, want to ensure the most secure code review process. Depending on your ...

Automate code
reviews on your commits and pull request

Group 13