Kotlin (Beta)

This article shows you how to analyze your applications written in Kotlin using NG SAST. It assumes that you have already set up and authenticated with ShiftLeft.

Requirements

NG SAST:

Only supports the analysis of Android applications written in Kotlin using SDK versions 24 to 30.
Requires a build environment with at least 16 GB of memory available.
Utilizes Java SE Runtime Environment 8; if necessary, you can install this by running sl update jre.

NG SAST for Kotlin runs on source code and does NOT require the target project to be built beforehand.

Analyzing your Kotlin application

To analyze your Kotlin application, run:

sl analyze --app <name> --kotlin <path>

Parameter	Description
`--app <name>`	The name of the application to be analyzed
`--kotlin`	The flag identifying the application's language
`<path>`	The location of the application's parent source directory

See the CLI reference for additional sl analyze options.

The analysis accepts additional parameters after a double hyphen --.

sl analyze --app <name> --kotlin [<path>] -- --download-dependencies --ignore-path <path>

Parameter	Description
`--classpath <path>`	The flag that adds a path to the folder where your dependency jars are (e.g., if your dependency jars are in `/tmp jars`, you could provide this to `sl analyze` using `--classpath /tmp/jars`). Can be used more than once.
`--download-dependencies`	The flag that triggers a download of the project's dependencies using Gradle or Maven
`--gradle-configuration-name <name>`	The Gradle configuration name to be used when downloading dependencies. (defaults to `releaseCompileClasspath` if none provided)
`--gradle-project-name <name>`	The Gradle project name to be used when downloading dependencies. (defaults to `app` if none provided)
`--ignore-path <path>`	The flag that adds a path to the list of directories which will be ignored during analyses. Can be used more than once.

If you would like to use NG SAST to scan non-Android applications written in Kotlin (i.e., backend services) or applications written in both Java and Kotlin, please contact ShiftLeft's customer support team for further assistance.

Dependency management

This Gradle plugin can help you resolve all the dependencies of a project and place them into a single directory (i.e., running ./gradlew gatherDependencies downloads the jars to build/gatheredDependencies, which you can then pass to sl analyze using --classpath build/gatheredDependencies)

Tagging results with your branch name

To include the branch name in your NG SAST results, allowing you to distinguish one set of results from another, add the following to your invocation of ShiftLeft:

sl analyze --tag branch=`git symbolic-ref --short HEAD`

If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.

If you don't provide a branch name, but ShiftLeft detects one available in your environment, it will use that name.

Requirements#

Analyzing your Kotlin application#

Dependency management#

Tagging results with your branch name#

Requirements

Analyzing your Kotlin application

Dependency management

Tagging results with your branch name