Skip to content
This repository has been archived by the owner on Jun 9, 2022. It is now read-only.

Extend java-owasp and java-find-secbugs modules to support kotlin #106

Merged
merged 1 commit into from
Apr 15, 2019
Merged

Extend java-owasp and java-find-secbugs modules to support kotlin #106

merged 1 commit into from
Apr 15, 2019

Conversation

flosell
Copy link
Contributor

@flosell flosell commented Apr 8, 2019
edited
Loading

Description

This PR introduces Kotlin support using the existing java-owasp and java-find-secbugs modules (both tools support Kotlin projects).

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Toolchain

  • Generic
  • Java
  • JavaScript
  • Ruby
  • Python
  • Other: Kotlin

How Has This Been Tested?

Running dockerized hawkeye against a bare-bones kotlin spring boot project with outdated dependencies:

  • Rebuild the Hawkeye Container to get all the tools

    $ docker build -t hawkeye-new .

  • Get a Kotlin Spring Boot project with vulnerable dependencies and build it

    $ curl https://start.spring.io/starter.tgz \
           -d type=gradle-project \
           -d baseDir=spring-boot-kotlin-gradle \
           -d language=kotlin \
           -d bootVersion=2.0.0.RELEASE | tar -xzvf -
$ cd spring-boot-kotlin-gradle
$ ./gradlew build

  • Run Hawkeye against the project. You should see some findings from find-secbugs about spring boot internals and dependencies with CVEs

    $ docker run --rm -v $PWD:/target hawkeye-new

  • You can add bug-patterns like a predictable pseudorandom number generator to the code, rebuild and re-scan to prove that application code is also scanned successfully.

Notes for reviewer

I decided to keep the module names as they are (java-find-secbugs, java-owasp) to avoid breaking changes. However, since they support more than one language (I'm guessing they could easily be extended to other JVM languages like Scala or Clojure) this is slightly misleading. Should we rename them to jvm-find-secbugs, jvm-owasp or something like that and if yes, do we need some kind of backwards compatibility? Or should we stick with the pattern "one module - one language" and create separate modules?

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@felixhammerl
Copy link
Collaborator

Renaming the modules would be a breaking change. We could think about doing a major version bump. For that we should look into other jvm langs as well, that would sound reasonable.

@felixhammerl felixhammerl merged commit 03ec314 into hawkeyesec:master Apr 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@felixhammerl felixhammerl felixhammerl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@flosell @felixhammerl