Search code examples
scalasonarqubespotbugsfind-sec-bugs

Path traversal vulnerabilities not found at Scala code

I have been trying to scan my code by using SonarQube + FindBugs + FindSecBugs plugins.

The idea is to detect vulnerabilities in the code, and as it says in the github project subject, it works with scala https://github.com/find-sec-bugs/find-sec-bugs

I have installed the plugin as the documentation says, and tried a few scans but nothing related to vulnerabilities in scala is coming up.

So, in order to figure out if the code was really good or there was a misconfiguration on my SonarQube settings, I went to http://find-sec-bugs.github.io/bugs.htm, I took one of the examples (Potential Path Traversal), inserted the example code and I ran the scanner again. It was not found.

The rule (Security - Potential Path Traversal (file read)) is activated in the Quality Profile, and despite it is a Java profile, it is assigned to the project, since the code in the mentioned example is Scala.

I noticed that all the rules coming from find-sec-bugs are java ones, so I'm wondering if they don't work on scala or there is something else I can do to make it work.

Thanks in advance, and let me know if you need any extra information, I'd be glad to provide you.

Solution

  • Looks like the main reason for that to happen is that Scala bug patterns are explicitly excluded for some reasons:

    Their are plenty of limitation with the SonarQube architecture regarding the multi-language support. It is closely tie to the sonar-source plugin design.

    • Language can't have the same extension (https://jira.sonarsource.com/browse/MMF-672)
    • Repository can't contains rule that apply to multiple languages. (If you would have Scala only code, the Java core rules would not be enable unless you have one Java file present)
    • Sensor are couple to the language definition (depends on the most popular plugin that declares it).
    • etc, etc..

    Source: https://github.com/spotbugs/sonar-findbugs/issues/108#issuecomment-305909652

    All the exclusions can be seen here: https://github.com/spotbugs/sonar-findbugs/commit/526ca6b29fae2684f86b1deba074a4be8a05b67e

    Particularly, for Scala:

      static exclusions = ['CUSTOM_INJECTION',
                   'SCALA_SENSITIVE_DATA_EXPOSURE',
                   'SCALA_PLAY_SSRF',
                   'SCALA_XSS_TWIRL',
                   'SCALA_XSS_MVC_API',
                   'SCALA_PATH_TRAVERSAL_IN',
                   'SCALA_COMMAND_INJECTION',
                   "SCALA_SQL_INJECTION_SLICK",
                   "SCALA_SQL_INJECTION_ANORM",
                   "PREDICTABLE_RANDOM_SCALA"]