https://kotlinlang.org logo
Title
l

legzo

10/11/2018, 8:45 AM
Hi guys, quick question : we are currently running Fortify [https://en.wikipedia.org/wiki/Fortify_Software] in our CI to check for potential vulnerability of our Java code. We plan to migrate some components to Kotlin but Fortify does'nt support Kotlin (yet?). Do you know something able to do a security audit on Kotlin code ?
e

elizarov

10/11/2018, 8:53 AM
Have you asked Fortify on their plans to support Kotlin? What was the answer?
l

legzo

10/11/2018, 8:55 AM
Hi Roman, we haven't yet. It seems like they also can audit the bytecode, but not with the same level of precision.
m

Mike

10/11/2018, 10:29 AM
I was extremely fortunate because my employer was OK with the byte code scan from fortify. I'd start there. Of course it finds false positives and you need accommodating reviewers as the source code isn't directly available if the scan is done via cli.
l

legzo

10/11/2018, 12:06 PM
Thanks for you feedback Mike
m

Mike

10/11/2018, 12:13 PM
NP. Let me know if you have any other questions. I had to modify our CI process so that Fortify runs differently for Java than for Kotlin, so I became more familiar with Fortify than I wanted to 😉
l

legzo

10/11/2018, 2:18 PM
Good to know !