find security bugs does not scan groovy files

771 Views Asked by At

In our project, we use both Groovy and Java classes. We are using the find-sec-bugs plugin 1.4.3 with FindBugs 3.0.1 to scan the source code.

The security bugs from Groovy classes are not reported by the plugin. Java classes are properly scanned. The project page clearly says the plugin works with Groovy.

For this testing, I copied the following vulnerable code, compiled the source code, and ran the scan on that.

String generateSecretToken() {
    Random r = new Random();
    return Long.toHexString(r.nextLong());
}

Am I missing some configuration?

1

There are 1 best solutions below

0
On

In order to have proper analysis, you need to activate static compiling. Otherwise, the analyzer will not see any method calls.

build.gradle

compileGroovy {
    groovyOptions.configurationScript = file("gradle/config.groovy")
}

gradle/config.groovy

withConfig(configuration) {
     ast(groovy.transform.CompileStatic)
}

A full recipe is available here: https://github.com/find-sec-bugs/find-sec-bugs-demos/tree/master/groovy-simple