Home Best Practices Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs

Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs

Author

Date

Category

As part of our effort to continue expanding our language support, we are excited to announce the support of two new tools for all Codacy users: Clang-Tidy and SpotBugs.

Clang-Tidy

Clang-Tidy is a tool for C and C++. Its purpose is to diagnose typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static code analysis. It checks for more than 300 common bug patterns including critical security and performance flaws.

You can get started by following our Clang-Tidy guide.

SpotBugs

SpotBugs (the successor of FindBugs) is a program which uses static code analysis to look for bugs in Java and Scala code. It checks for more than 400 bug patterns. We’ve also bundled Find Security Bugs: a SpotBugs plugin for security audits of Scala web applications. The issues reported cover the OWASP Top 10 and CWE standards.


Example of Potential Scala Slick Injection: WASC-19; CAPEC-66; CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’); OWASP: Top 10 2013-A1-Injection.

Last week we announced SpotBugs support to Codacy Self-hosted, which now is also available for all users. So if you use Java or Scala, you can already add the new security checks by following our SpotBugs guide.

What’s next?

Today, we are also announcing our plan to support even more tools – your tools.

We’re developing a new system called Client-side Tools that will let you standardize your code quality by reporting issues from your own linting tools and checkers to Codacy.

The Client-side Tools will allow running any tool either locally or as part of your CI pipeline and then integrate the results into your Codacy workflow. This way, Codacy will present the results coming from your tools alongside all the other code quality information in the dashboards. 

The Client-side Tools will not only support private tools but also other use cases that you might be encountering in your current Codacy usage:

  • Whether you are running a different version of a tool or plugin from the currently built-in tools on Codacy;
  • You are running a tool with a private plugin; 
  • Running a tool with custom rules; 
  • Running a tool with advanced inspection capabilities that must have access to the compilation result.

Starting today, Self-hosted, Cloud and Open-source users will have access to Clang-Tidy and SpotBugs, which are the first version of Client-side Tools. We’ll continue to work on opening the system so that we can support more tools in the future.

Let us know what you think, we look forward to listening to your thoughts.

If you use GitHub, Bitbucket, or GitLab, you can get started with Codacy in just a few seconds.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

Pair programming at Codacy and why we do it

Pair programming, also known as pairing or “dynamic duo” model is not a new concept, and it was pioneered by C/C++ guru...

Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs

As part of our effort to continue expanding our language support, we are excited to announce the support of two new tools...

Improve the efficiency of your remote engineering team

COVID-19 hit the ground running and the world felt the impact. Although tech companies seemed to be ahead of the curve by...

Further Enterprise security analysis for Scala

We’re excited to announce the latest addition to our suite of security analysis: Spotbugs. SpotBugs is a program which...

Free Codacy Pro account to fight COVID-19

Our hearts go out to everyone who has been directly or indirectly impacted by the global coronavirus (COVID-19) pandemic. We are committed...