Scala
This article shows you how to analyze your applications that are written in Scala using preZero. It assumes that you have already set up and authenticated with Qwiet.
Requirements
See Prerequisites for more information.
Analyzing your Scala application
To analyze your Scala application, run:
sl analyze --app <name> --java [<path>]
| Parameter | Description |
|---|---|
--app <name> | The name of the application to be analyzed (maximum length: 100 characters) |
--java | The flag identifying the application's language |
<path> | The location of the application's .jar / .war file to be analyzed |
See the CLI reference for additional sl analyze options.
SCA
To identify open-source vulnerabilities, Qwiet preZero automatically searches for build manifests in the directory from which you run sl analyze (while you must provide the packaged artifact or the project pacakge, Qwiet preZero assumes that the directory from which you run sl analyze is the directory that contains the application's source code).
Depending on how your project repo is structured, you may need to provide the following configuration options so that Qwiet preZero can identify where your dependencies are located:
| Configuration option | Description |
|---|---|
--oss-project-dir <project-path> | The (non-default) location where projects are defined |
--oss-subproject <subproject-name> | For sbt projects only: collect open-source package information only from a specific subproject. This flag should only be used for complex monorepos/multi-project builds |
Tagging results with your branch name
To include the branch name in your preZero results, allowing you to distinguish one set of results from another, add the following to your invocation of Qwiet:
sl analyze --tag branch=`git symbolic-ref --short HEAD`
If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.
If you don't provide a branch name, but Qwiet detects one available in your environment, it will use that name.
Source code view
The Qwiet Dashboard's findings list can include URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.
However, to leverage Qwiet's source code view with Scala applications, you must augment the source code filepaths. preZero uses the byte code, not the source code, for analysis, so you'll need to provide additional information about your filepath structure to ensure that preZero generates the links properly.