Hi! Is anyone aware of a tool that can scan for po...
# servers
shelbycohen
12/18/2019, 1:02 AMHi! Is anyone aware of a tool that can scan for possible security violations in Kotlin code similar to how Checkmarx works? Checkmarx has added Android Kotlin support but doesn’t support server side
d
Dariusz Kuc
12/18/2019, 1:25 AMAfaik there isnt one yet. Fortify supposedly have kotlin support somewhere on their roadmap but there is no eta.
Dariusz Kuc
12/18/2019, 1:27 AMWell technically fortify can do byte code scans but it didnt work that great when we tried it
s
shelbycohen
12/18/2019, 1:48 AMAw okay, thanks for the info
shelbycohen
12/18/2019, 1:48 AM@Dariusz Kuc I found this https://arturbosch.github.io/detekt/ but it isn’t exactly what we are looking for
d
Dariusz Kuc
12/18/2019, 1:50 AMdetekt is more like findbugs
Dariusz Kuc
12/18/2019, 1:50 AMIt is not security oriented
s
shelbycohen
12/18/2019, 1:50 AMYeah, I saw you could write custom rulesets but not what we are looking for
d
Dariusz Kuc
12/18/2019, 1:51 AMBtw detekt is highly recommended
👍 2
s
shelbycohen
12/18/2019, 1:53 AM@Dariusz Kuc Have you heard of https://www.sonarsource.com/products/codeanalyzers/sonarkotlin.html
d
Dariusz Kuc
12/18/2019, 2:13 AMSonar is great
👍 2
Dariusz Kuc
12/18/2019, 2:13 AMIt combines info from multiple different sources in nice ui
Dariusz Kuc
12/18/2019, 2:13 AMBut again it is not security oriented
Dariusz Kuc
12/18/2019, 2:14 AMYou could use sonar to keep track of trends so you could see how your code evolves
s
shelbycohen
12/18/2019, 2:15 AMIt does say in the description: “Based on our own Kotlin analyzer, it can find bugs, security vulnerabilities and code smells”
d
Dariusz Kuc
12/18/2019, 2:15 AMeg unit test coverage, code complexity, detekt violatioms etc
Dariusz Kuc
12/18/2019, 2:16 AMWell detekt also has some security rules
Dariusz Kuc
12/18/2019, 2:17 AMOur security folks wouldnt sign on it
s
shelbycohen
12/18/2019, 2:26 AM☹️
d
Dariusz Kuc
12/18/2019, 2:28 AMI guess if more folks show interest in it maybe fortify will get to implementing the support
👍 2
Dariusz Kuc
12/18/2019, 2:30 AMIn the meantime you might have to do manual security reviews
s
shelbycohen
12/18/2019, 3:03 AMCheckmarx has it on their roadmap for Q1 2020 so if people show more interest in that also it will help 🙂
👍 2
m
Malena Ebert
12/18/2019, 7:57 AMI am a developer at RIPS (https://ripstech.com). Kotlin support is on our roadmap. (Currently we support Java and PHP, JS and C# will be next.)
j
jaguililla
12/18/2019, 12:09 PMI guess this tool does it: http://find-sec-bugs.github.io
s
shelbycohen
12/18/2019, 5:42 PM@Malena Ebert Do you have an estimated date?
shelbycohen
12/18/2019, 5:43 PM@jaguililla Have you used that for Kotlin?
j
jaguililla
12/18/2019, 7:40 PMNot myself, but at my company they are evaluating it
s
shelbycohen
12/18/2019, 7:40 PMOh cool! Let me know what their evaluation is when you know
j
jaguililla
12/18/2019, 7:41 PM👍
d
Dariusz Kuc
12/18/2019, 9:28 PM@shelbycohen looks like https://www.veracode.com/ might be a viable option
👍 1
s
shelbycohen
12/18/2019, 9:35 PMThank you!
3 Views