In our project, we use both Groovy and Java classes. We are using the find-sec-bugs plugin 1.4.3 with FindBugs 3.0.1 to scan the source code.
The security bugs from Groovy classes are not reported by the plugin. Java classes are properly scanned. The project page clearly says the plugin works with Groovy.
For this testing, I copied the following vulnerable code, compiled the source code, and ran the scan on that.
String generateSecretToken() {
Random r = new Random();
return Long.toHexString(r.nextLong());
}
Am I missing some configuration?
In order to have proper analysis, you need to activate static compiling. Otherwise, the analyzer will not see any method calls.
build.gradle
gradle/config.groovy
A full recipe is available here: https://github.com/find-sec-bugs/find-sec-bugs-demos/tree/master/groovy-simple