Skip to main content

Scala SCA agent-based scanning

You can find vulnerabilities in your Scala applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on Scala repositories using the agent-based scanning command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging Scala applications.

You can use agent-based scanning to scan any code repository to which you have access and fulfills the above requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-sbt  

Before you begin:

Scanning a repository which utilizes Scala and SBT requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes these requirements:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the Scala repository.
  • Include build.sbt in the projects root folder.
  • Build the project with SBT version 0.13.16 or later. If you are overriding the version in the project build.properties file, ensure the version is set to 0.13.16 or later.
  • For Coursier and SBT, be able to successfully run sbt clean compile from the root of the project where you perform scans.

To complete this task:

Run the scan command with the Veracode SCA CLI agent pointed to the directory of the Scala repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument with the CLI agent.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.