find security bugs does not scan groovy files

776 Views Asked by s_v_2 At 28 April 2025 at 14:25

In our project, we use both Groovy and Java classes. We are using the find-sec-bugs plugin 1.4.3 with FindBugs 3.0.1 to scan the source code.

The security bugs from Groovy classes are not reported by the plugin. Java classes are properly scanned. The project page clearly says the plugin works with Groovy.

For this testing, I copied the following vulnerable code, compiled the source code, and ran the scan on that.

String generateSecretToken() {
    Random r = new Random();
    return Long.toHexString(r.nextLong());
}

Am I missing some configuration?

Original Q&A

There are 1 best solutions below

h3xStream On 19 July 2016 at 14:51

In order to have proper analysis, you need to activate static compiling. Otherwise, the analyzer will not see any method calls.

build.gradle

compileGroovy {
    groovyOptions.configurationScript = file("gradle/config.groovy")
}

gradle/config.groovy

withConfig(configuration) {
     ast(groovy.transform.CompileStatic)
}

A full recipe is available here: https://github.com/find-sec-bugs/find-sec-bugs-demos/tree/master/groovy-simple

find security bugs does not scan groovy files

There are 1 best solutions below

Related Questions in JAVA

Related Questions in GROOVY

Related Questions in FINDBUGS

Related Questions in FIND-SEC-BUGS

Trending Questions

Popular # Hahtags

Popular Questions