Find vulnerabilities in Scala
You can find vulnerabilities in your Scala applications. You can scan Scala repositories using the command-line interface or the CI integrations.
For packaging instructions for Veracode Static Analysis, see Packaging Scala applications.
You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/veracode/example-sbt
Before you begin:
Scanning a repository which utilizes Scala and SBT requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes these requirements:
- Meet the requirements for the Veracode SCA agent.
- Have access to the Scala repository.
- Include
build.sbtin the projects root folder. - Build the project with SBT version 0.13.16 or later. If you are overriding the version in the
project build.propertiesfile, ensure the version is set to 0.13.16 or later. - For Coursier and SBT, be able to successfully run
sbt clean compilefrom the root of the project where you perform scans.
To complete this task:
At the command line, run the scan command pointed to the directory of the Scala repository. For example:
srcclr scan path/to/{project_folder}
To scan code repositories hosted in Git, use the --url argument at the command line.
To view more verbose output during the scan process, add the --loud argument:
srcclr scan path/to/{project_folder} --loud
Results:
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Next steps:
After completing the scan, you can view the results.