I have been trying to scan my code by using SonarQube + FindBugs + FindSecBugs plugins.
The idea is to detect vulnerabilities in the code, and as it says in the github project subject, it works with scala https://github.com/find-sec-bugs/find-sec-bugs
I have installed the plugin as the documentation says, and tried a few scans but nothing related to vulnerabilities in scala is coming up.
So, in order to figure out if the code was really good or there was a misconfiguration on my SonarQube settings, I went to http://find-sec-bugs.github.io/bugs.htm, I took one of the examples (Potential Path Traversal), inserted the example code and I ran the scanner again. It was not found.
The rule (Security - Potential Path Traversal (file read)) is activated in the Quality Profile, and despite it is a Java profile, it is assigned to the project, since the code in the mentioned example is Scala.
I noticed that all the rules coming from find-sec-bugs are java ones, so I'm wondering if they don't work on scala or there is something else I can do to make it work.
Thanks in advance, and let me know if you need any extra information, I'd be glad to provide you.
Looks like the main reason for that to happen is that Scala bug patterns are explicitly excluded for some reasons:
Their are plenty of limitation with the SonarQube architecture regarding the multi-language support.
It is closely tie to the sonar-source plugin design.
Language can't have the same extension (https://jira.sonarsource.com/browse/MMF-672)
Repository can't contains rule that apply to multiple languages. (If you would have Scala only code, the Java core rules would not be enable unless you have one Java file present)
Sensor are couple to the language definition (depends on the most popular plugin that declares it).
etc, etc..
Source: https://github.com/spotbugs/sonar-findbugs/issues/108#issuecomment-305909652
All the exclusions can be seen here: https://github.com/spotbugs/sonar-findbugs/commit/526ca6b29fae2684f86b1deba074a4be8a05b67e
Particularly, for Scala:
static exclusions = ['CUSTOM_INJECTION',
'SCALA_SENSITIVE_DATA_EXPOSURE',
'SCALA_PLAY_SSRF',
'SCALA_XSS_TWIRL',
'SCALA_XSS_MVC_API',
'SCALA_PATH_TRAVERSAL_IN',
'SCALA_COMMAND_INJECTION',
"SCALA_SQL_INJECTION_SLICK",
"SCALA_SQL_INJECTION_ANORM",
"PREDICTABLE_RANDOM_SCALA"]
Related
I'm trying to ignore Lombok code (generated code) from Sonar analysis based on files which have a custom annotation, #ExcludeLombok.
I've tried this guide which did not work.
In fact, I've even tried excluding an entire directory from analysis and it still wouldn't work.
I've also tirelessly searched through StackOverflow looking for a solution, and I've seen this has been discussed a good bit on here, but I've seen that people have been suggesting to write a single test to get the coverage up, which is pointless since we should not test auto generated code.
The solution I'm looking for is to exclude files based on a custom annotation.
But so far, anything I attempt to exclude does not get excluded.
Any help would be greatly appreciated.
There is currently no easy way to exclude issues raised by the SonarQube rules from the SonarQube Java Analyzer, except from using approaches described in the "Narrowing the focus" documentation you quote.
Now, we introduced recently the concept of issue filters in the SonarQube Java Analyzer. This mechanism is at the moment only used internally to exclude issues raised by rules at analysis time, based on specific criteria.
We plan to extends this mechanism in order to allow users to implements their own custom issue filters, the same way custom rules can be implemented. This approach would cover your case and allow you to filter any rules on code annotated with your custom annotation. This new feature will be handled in the following JIRA ticket: SONARJAVA-1761
Another option you have is to run Sonar over delomboked source. There are various ways to delombok depending on your build system see:
Delombok Overview.
For maven there's an example of running analysis on delomboked code: Delombok test pom
In each case you would make sure you ran the checks over generated source.
I am looking at using HttpsConfigurator, HttpsServer, and HttpContext in the com.sun.net package. Additionally, part of my project requirement is to use OpenJDK.
I am coding in Eclipse, which will not auto import anything from the com.sun.net package, because it is considered 'forbidden'. After enabling forbidden packages, I can get everything working, building and running. My question, what is considered safe to use in OpenJDK? I am under the impression that it is just the java.* and javax.* packages.
I downloaded the OpenJDK 7 source, and I see that com.sun.net is part of the source, which implies that my assumption might be incorrect. I haven't had any luck googling yet, and I was hoping one the experts here can fill in the missing pieces.
In recap, what is considered safe to use in OpenJDK? Why would Eclipse label com.sun.net as 'forbidden'?
Thanks!
Countless documents -- books, articles, tutorials, official JDK documentation -- have explained that the com.sun.* packages are implementation details, subject to change or removal at any time; they are not intended for user programs. They are not portable, not reliably present, and possibly not as robust as actual API classes. In general, if the JDK documentation bundle contains Javadoc for it, it's intended for your use; otherwise not.
I was wondering if anyone can explain where and how comment documentation in Scala is applicable - in particular, the Eclipse plugin. For example, is there a way to comment a procedure, that might later show as a help-hint while using Eclipse? I'm not entirely sure how to get these Javadoc like effects when using Scala Eclipse. I've checked the various FAQs for the plugin, it's possibly not supported but I can't find an explanation either way.
You need to use Scaladoc, but it isn't supported completely yet.
ScalaDoc on hover/completion is not yet integrated in the Scala IDE.
The good news is that this feature is currently under development and we plan to have intial support for it in the coming months. A Pull Request for adding ScalaDoc in support in the Scala Presentation Compiler has been recently merged.
A Pull Request on the Scala IDE project will follow. You can track progress on this feature here
I've been searching for a long time now to find a decent IDE for Scala.
Eclipse is not satisfying at all, as auto completion doesn't work, somehow. Also, I can't modify the libraries at all in the build path e.g. set the docs/source.
IntelliJ seems better, however, there are some major bugs:
When the drop down menu appears that lists all the function, some of them are sometimes just not shown! I think it's because of scala-library / scala-compiler, it mixes them up or something...
The docs cannot be fetched, I get this message over and over again (here the functions are listed, strange enough...):
This is the library window:
The dependencies and the compiler are set right, I strongly suppose.
Does anyone know what the problem is? And how to fix it? Or is it a known bug?
Is there an IDE that can handle Scala?
Regards!
Typically, searching for names (values/classes/functions/etc.) for auto-complete can be quite slow compared to Java in IntelliJ simply because the automatically imported namespace can be quite large, and it also searches through all implicit conversions. However, I've never seen it refuse to show functions like your screenshot, what version of IntelliJ and Scala plugin are you using?
I've never gotten the pop-up docs to work via attaching JavaDocs (I haven't tried remote fetching), so I'd recommend just ctrl+click to go through to the source to read the documentation there. (However, the function/type definition does popup correctly when sources are attached). I'd suggest posting an issue at http://youtrack.jetbrains.com/issues/SCL if you have the opportunity.
To your final question, the answer is unfortunately no. The tooling for Scala is nowhere near that of Java, but both Scala IDE for Eclipse and IntelliJ are making great progress in changing that, and both are strong in some areas while weak in others. In the end, you'll get limited support either way, so choose whichever fits you best.
I have found the solution to the problem:
The bug was caused by Java Decompiler Plugin. It tried to decompile the binaries of Scala's class-files, which obviously failed. This led to that error message and further led to the Scala plugin not working as it should, thus not displaying some of the functions.
This took me a long time to figure out, I installed 2 other versions of IntelliJ (which apparently imported the JD plugin), NetBeans and downloaded several builds of the Scala Plugin, only to discover this cause. Deactivating Java Decompiler solved it.
Regards.
Where I work, we use mostly Java. We've always made extensive use of CheckStyle to enforce our coding standards for Java.
We're now branching out into Scala. Many of the same considerations as in Java apply (indentation/whitespace, naming conventions, ...) - and arguably having a consistent coding style is even more important given the power of the language.
However, there does not seem to be a Checkstyle equivalent for Scala.
Does anyone know of one?
Yes. It is called Scalastyle. (Same sort of focus as Checkstyle and findbugs). It's currently in version 0.2.0, we're adding rules all of the time
EDIT (Dec 2012):
Scalastyle 0.2.0 was released last month, with a total of 46 rules. There is, in no particular order:
A maven plugin
An eclipse plugin
An SBT plugin
Under development are:
An Intellij plugin
A sonar plugin
Contributions/bug fixes are always welcome: github.
For code formatting, you can use Scalariform.
It can be used standalone, integrated into an editor, or as an SBT plugin that runs it automatically before every compilation.
Codacy integrates Scalastyle (amazing work from Matthew) along with custom rules (like checking for Option.get() and warning you when you do them) and works as an improved Sonar for Scala.
Free for open source.
You also have abide from the Typesafe team and scapegoat from the makers of SCoverage.
There's sniff, which detect "code smells" based on regular expressions. It can be used as a Specs2 test, which is nice.