Scala packaging
Your Scala applications must meet specific compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Supported Scala versions
Language | Version | Compilers | Platform |
---|---|---|---|
Scala | 2.13 and earlier | scalac 2.13 and earlier javac 1.6–1.8 | JVM 1.6–1.9, 10 |
Veracode can analyze Scala applications with or without debug symbols. Providing debug builds of Scala application code allows Veracode to provide source file and line number information about the location of flaws found. For a successful scan, you cannot obfuscate Scala applications.
You must compile and submit Scala applications as JAR files. You can do this within the Eclipse Scala IDE by exporting the project as a JAR file.
Supported Scala frameworks
Framework | Supported versions |
---|---|
Akka | 2.5 |
Play | 2.0–2.7.x |
Slick | 3.x |
Compilation guidance
You must compile and submit Scala applications as JAR files without any third-party dependencies within the application code. Submit debug symbols for as much of the application as possible.
Using the standard Scala compiler, add the -g
option at the command line to obtain debug symbols, for example:
scalac -g:vars foo.scala
Eclipse Scala IDE settings
If you develop the project with the Eclipse Scala IDE:
- Go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, make these updates:
- Add variable attributes to generated class files
- Add line number attributes to generated class files
- Add source file name to generated class files
- Go to Project > Properties and select the Scala Compiler properties. Under Standard, set
g
tovars
.
Ant settings
If you build your project using ant, you must enable the debug
property in the javac
task by adding the -g:vars
parameter to scalac
. Add the -g:vars
parameter to the addparams
attribute. For example:
<target name="build" depends="init">
<mkdir dir="${build.dir}" />
<scalac srcdir="${sources.dir}"
destdir="${build.dir}"
addparams="-g:vars
classpathref="build.classpath">
<include name="compile/**/*.scala" />
<exclude name="forget/**/*.scala" />
</scalac>
</target>
Maven settings
If you build your project using the scala-maven-plugin for Maven, ensure that the javacGenerateDebugSymbols
parameter is set to true
, which is the default selection.
Sbt settings
You can use Sbt from the command line within the source directory to build the project as a JAR, using this command:
sbt 'set scalacOptions += "-g:vars"' compile package
When using the Play framework, you can use the sbt dist
task to build the application.
To build and upload your application using the Play framework:
- Run one of these commands:
- From the Play console:
dist
- From the command line:
sbt dist
- From the Play console:
- After the command completes successfully, navigate to the directory
target/scala-VERSION/
. - Upload all JAR artifacts you want to scan.
sbt
may also build -sans-externalized
versions of individual JAR artifacts. If you upload both artifact versions, duplicate results may occur.
Alternatively, upload the primary ZIP artifact generated by sbt dist
in the target/universal/
directory instead of uploading individual JAR artifacts. However, because this ZIP contains many third-party libraries, uploading this ZIP may affect build results.
Veracode does not recommend using the sbt-assembly plugin.
If you use sbt docker
, submit the JAR files created as part of the build process, rather than the Docker image itself. These files are stored in the target/
directory after you build the application.
Gradle settings
To build a Scala project using Gradle, use the Scala plugin. The Scala plugin adds line numbers and local variables to the generated binary artifact. For example:
apply plugin: 'scala'
You can then build the applications with this command:
gradle build