1

Codacy Product Showcase: April 2024

Group 370
2

Codacy Security Adds Thousands of New SAST Rules With Semgrep Integration

Group 370
3

Further Enterprise security analysis for Scala

In this article:
Subscribe to our blog:

We’re excited to announce the latest addition to our suite of security analysis: Spotbugs.

SpotBugs is a program which uses static analysis to look for bugs in Java code. It checks for more than 400 bug patterns. SpotBugs is the successor of FindBugs, an open-source static code analyzer.

SpotBugs picks up from the point FindBugs leaves off. At the same time, it maintains the support of the Findbugs’ community.

We’ve also bundled Find Security Bugs: a SpotBugs plugin for security audits of Scala web applications. The issues reported cover the OWASP Top 10 and CWE standards.

It includes security patterns such as Potential Path Traversal, Potential Command Injection, Potential SQL Injection, Potential XSS and others.

Example of Potential Scala Slick Injection: WASC-19; CAPEC-66; CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’); OWASP: Top 10 2013-A1-Injection.

Failure to use bound variables in prepared statements leaves you at the risk of attackers performing SQL injection.

Try it out for yourself:

  1. git clone https://github.com/qamine-test/play-spotbugs-test.git
  2. sbt compile
  3. codacy-analysis-cli analyse –tool spotbugs –directory `pwd` –allow-network

We’re making these new patterns available for Self-hosted users in the next update for Apex, PHP, C/C++, Shell script, Dockerfile, Visual Basic, Elixir, PowerShell, TSQL and Groovy, besides the existing C#, Java, JavaScript, Python and Ruby support. You can get started by following our guide to run Spotbugs.

If you haven’t tried Codacy yet, contact us to install Codacy on-premise.

RELATED
BLOG POSTS

Enhanced security for C++, Java, and Scala with Clang-Tidy and SpotBugs
As part of our effort to continue expanding our language support, we are excited to announce the support of two new tools for all Codacy users:...
A Guide to Popular Java Static Analysis Tools
Java's popularity as a programming language stems from its platform independence, thanks to the "write once, run anywhere" capability with the Java...
Static Code Analysis: Everything You Need to Know
In a recent survey report, Incredibuild asked 300 senior IT managers about their most used technologies and methodologies for accelerating and...

Automate code
reviews on your commits and pull request

Group 13