0

In our project, we use both Groovy and Java classes. We are using the find-sec-bugs plugin 1.4.3 with FindBugs 3.0.1 to scan the source code.

The security bugs from Groovy classes are not reported by the plugin. Java classes are properly scanned. The project page clearly says the plugin works with Groovy.

For this testing, I copied the following vulnerable code, compiled the source code, and ran the scan on that.

String generateSecretToken() {
    Random r = new Random();
    return Long.toHexString(r.nextLong());
}

Am I missing some configuration?

doelleri
  • 19,232
  • 5
  • 61
  • 65
s_v_2
  • 31
  • 1
  • 6
  • Do you use gradle or maven? Both tools have plugins for findbugs and it seems to run properly. – Opal Oct 14 '15 at 06:30
  • Thanks Opal. I am using the FindBugs UI. It scans the both groovy and java source code properly. The problem is with find-sec-bugs plugin. This plugin scans the java code properly. But, it ignores the groovy code. – s_v_2 Oct 14 '15 at 18:47
  • @nr673 Please open a ticket here : https://github.com/h3xstream/find-sec-bugs/issues (copy-paste your question) – h3xStream Oct 23 '15 at 03:51
  • @h3xStream Sorry for the delayed response. Reported the issue as you suggested. – s_v_2 Jan 12 '16 at 04:40

1 Answers1

0

In order to have proper analysis, you need to activate static compiling. Otherwise, the analyzer will not see any method calls.

build.gradle

compileGroovy {
    groovyOptions.configurationScript = file("gradle/config.groovy")
}

gradle/config.groovy

withConfig(configuration) {
     ast(groovy.transform.CompileStatic)
}

A full recipe is available here: https://github.com/find-sec-bugs/find-sec-bugs-demos/tree/master/groovy-simple

h3xStream
  • 6,293
  • 2
  • 47
  • 57