Home Best Practices Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs

Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs

Author

Date

Category

As part of our effort to continue expanding our language support, we are excited to announce the support of two new tools for all Codacy users: Clang-Tidy and SpotBugs.

Clang-Tidy

Clang-Tidy is a tool for C and C++. Its purpose is to diagnose typical programming errors, like style violations, interface misuse, or bugs that can be deduced via static code analysis. It checks for more than 300 common bug patterns including critical security and performance flaws.

You can get started by following our Clang-Tidy guide.

SpotBugs

SpotBugs (the successor of FindBugs) is a program which uses static code analysis to look for bugs in Java and Scala code. It checks for more than 400 bug patterns. We’ve also bundled Find Security Bugs: a SpotBugs plugin for security audits of Scala web applications. The issues reported cover the OWASP Top 10 and CWE standards.


Example of Potential Scala Slick Injection: WASC-19; CAPEC-66; CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’); OWASP: Top 10 2013-A1-Injection.

Last week we announced SpotBugs support to Codacy Self-hosted, which now is also available for all users. So if you use Java or Scala, you can already add the new security checks by following our SpotBugs guide.

What’s next?

Today, we are also announcing our plan to support even more tools – your tools.

We’re developing a new system called Client-side Tools that will let you standardize your code quality by reporting issues from your own linting tools and checkers to Codacy.

The Client-side Tools will allow running any tool either locally or as part of your CI pipeline and then integrate the results into your Codacy workflow. This way, Codacy will present the results coming from your tools alongside all the other code quality information in the dashboards. 

The Client-side Tools will not only support private tools but also other use cases that you might be encountering in your current Codacy usage:

  • Whether you are running a different version of a tool or plugin from the currently built-in tools on Codacy;
  • You are running a tool with a private plugin; 
  • Running a tool with custom rules; 
  • Running a tool with advanced inspection capabilities that must have access to the compilation result.

Starting today, Self-hosted, Cloud and Open-source users will have access to Clang-Tidy and SpotBugs, which are the first version of Client-side Tools. We’ll continue to work on opening the system so that we can support more tools in the future.

Let us know what you think, we look forward to listening to your thoughts.

If you use GitHub, Bitbucket, or GitLab, you can get started with Codacy in just a few seconds.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Recent posts

Static Code Analysis: client-side tools integration with Codacy

Testing and analyzing your code is one of the most important parts of your software development process. With Codacy, you can...

Open salary calculator: our commitment to transparency and fairness

Here at Codacy, we are committed to being a fully transparent company. So back in 2019, we launched our open salary...

How Vevo uses Codacy to replace legacy systems while guaranteeing code coverage

As the tech world keeps evolving, having legacy systems is a certainty, especially for organizations that have been around for decades....

December Product Update 🚀

Hi there 👋, With 2021 in the rearview mirror, we can now focus on making 2022 an incredible...

How Loft uses Pulse to measure Engineering health

Customer story about how Loft uses Pulse to measure Engineering health. Estimated reading time: 5 minutes. About Loft