Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs

In this article:
Subscribe to our blog:

As part of our effort to continue expanding our language support, we are excited to announce the support of two new tools for all Codacy users: Clang-Tidy and SpotBugs.

Clang-Tidy

Clang-Tidy is a tool for C and C++. Its purpose is to diagnose typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static code analysis. It checks for more than 300 common bug patterns including critical security and performance flaws.

You can get started by following our Clang-Tidy guide.

SpotBugs

SpotBugs (the successor of FindBugs) is a program which uses static code analysis to look for bugs in Java and Scala code. It checks for more than 400 bug patterns. We’ve also bundled Find Security Bugs: a SpotBugs plugin for security audits of Scala web applications. The issues reported cover the OWASP Top 10 and CWE standards.


Example of Potential Scala Slick Injection: WASC-19; CAPEC-66; CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’); OWASP: Top 10 2013-A1-Injection.

Last week we announced SpotBugs support to Codacy Self-hosted, which now is also available for all users. So if you use Java or Scala, you can already add the new security checks by following our SpotBugs guide.

What’s next?

Today, we are also announcing our plan to support even more tools – your tools.

We’re developing a new system called Client-side Tools that will let you standardize your code quality by reporting issues from your own linting tools and checkers to Codacy.

The Client-side Tools will allow running any tool either locally or as part of your CI pipeline and then integrate the results into your Codacy workflow. This way, Codacy will present the results coming from your tools alongside all the other code quality information in the dashboards. 

The Client-side Tools will not only support private tools but also other use cases that you might be encountering in your current Codacy usage:

  • Whether you are running a different version of a tool or plugin from the currently built-in tools on Codacy;
  • You are running a tool with a private plugin; 
  • Running a tool with custom rules; 
  • Running a tool with advanced inspection capabilities that must have access to the compilation result.

Starting today, Self-hosted, Cloud and Open-source users will have access to Clang-Tidy and SpotBugs, which are the first version of Client-side Tools. We’ll continue to work on opening the system so that we can support more tools in the future.

Let us know what you think, we look forward to listening to your thoughts.

If you use GitHub, Bitbucket, or GitLab, you can get started with Codacy in just a few seconds.

RELATED
BLOG POSTS

Further Enterprise security analysis for Scala
We’re excited to announce the latest addition to our suite of security analysis: Spotbugs.
Lazy loading tips & tricks
Lazy loading is a website optimization technique that reduces bandwidth and improves user experience. Also referred to as on-demand loading, the...
Static Code Analysis: client-side tools integration with Codacy
Testing and analyzing your code is one of the most important parts of your software development process. With Codacy, you can automate code reviews,...

Automate code
reviews on your commits and pull request

Group 13