Scala packaging
Your Scala applications must meet specific compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Automated packaging
Auto-packaging simplifies the packaging process for Python projects.
Supported Scala versions
| Language | Version | Compilers | Platform |
|---|---|---|---|
| Scala | 3.7 and earlier | scalac 3.4 and earlier javac 1.3–1.9, 10-24 | JVM 1.3–1.9,10-24 |
Veracode can analyze Scala applications with or without debug symbols. Providing debug builds of Scala application code allows Veracode to provide source file and line number information about the location of flaws found. For a successful scan, you cannot obfuscate Scala applications.
You must compile and submit Scala applications as JAR files. You can do this within the Eclipse Scala IDE by exporting the project as a JAR file.
Supported Scala frameworks
| Framework | Supported versions |
|---|---|
| Akka | 2.5 |
| Play | 2.0–2.7.x |
| Slick | 3.x |
Compilation guidance
You must compile and package Scala applications as JAR files. For the best results, include all debug symbols in the archives.
Using the standard Scala compiler, add the -g option at the command line to obtain debug symbols, for example:
scalac -g:vars foo.scala
Eclipse Scala IDE settings
If you develop the project with the Eclipse Scala IDE:
- Go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, make these updates:
- Add variable attributes to generated class files
- Add line number attributes to generated class files
- Add source file name to generated class files
- Go to Project > Properties and select the Scala Compiler properties. Under Standard, set
gtovars.
Ant settings
If you build your project using ant, you must enable the debug property in the javac task by adding the -g:vars parameter to scalac. Add the -g:vars parameter to the addparams attribute. For example:
<target name="build" depends="init">
<mkdir dir="${build.dir}" />
<scalac srcdir="${sources.dir}"
destdir="${build.dir}"
addparams="-g:vars
classpathref="build.classpath">
<include name="compile/**/*.scala" />
<exclude name="forget/**/*.scala" />
</scalac>
</target>
Maven settings
If you build your project using the scala-maven-plugin for Maven, ensure that the javacGenerateDebugSymbols parameter is set to true, which is the default selection.
Sbt settings
You can use Sbt from the command line within the source directory to build the project as a JAR, using this command:
sbt 'set scalacOptions += "-g:vars"' compile package
When using the Play framework, you can use the sbt dist task to build the application.
To build and upload your application using the Play framework:
- Run one of these commands:
- From the Play console:
dist - From the command line:
sbt dist
- From the Play console:
- After the command completes successfully, navigate to the directory
target/scala-VERSION/. - Upload all JAR artifacts you want to scan.
sbt may also build -sans-externalized versions of individual JAR artifacts. If you upload both artifact versions, duplicate results may occur.
Alternatively, upload the primary ZIP artifact generated by sbt dist in the target/universal/ directory instead of uploading individual JAR artifacts. However, because this ZIP contains many third-party libraries, uploading this ZIP may affect build results.
If you use sbt docker, submit the JAR files created as part of the build process, rather than the Docker image itself. These files are stored in the target/ directory after you build the application.
Gradle settings
To build a Scala project using Gradle, use the Scala plugin. The Scala plugin adds line numbers and local variables to the generated binary artifact. For example:
apply plugin: 'scala'
You can then build the applications with this command:
gradle build