Packaging Scala Applications

Veracode Packaging Requirements

Your Scala applications must meet specific compilation requirements before you can submit them for scanning.

See Supported Languages and Platforms for instructions for other platforms.

You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.

Supported Scala Versions

Language Version Compilers Platform
Scala 2.13 and earlier scalac - 2.13 and earlier

javac - 1.6–1.8

JVM 1.6–1.9, 10

Veracode can analyze Scala applications with or without debug symbols. Providing debug builds of Scala application code allows Veracode to provide source file and line number information about the location of flaws found. For a successful scan, you cannot obfuscate Scala applications.

You must compile and submit Scala applications as JAR files. You can do this within the Eclipse Scala IDE by exporting the project as a JAR file.

Supported Scala Frameworks

Framework Supported Versions
Akka 2.5
Play 2.0–2.7.x
Slick 3.x

Compilation Guidance

You must compile and submit Scala applications as JAR files without any third-party dependencies within the application code. Submit debug symbols for as much of the application as possible.

Using the standard Scala compiler, add the -g option at the command line to obtain debug symbols, for example:

scalac -g:vars foo.scala

Eclipse Scala IDE Settings

If you develop the project with the Eclipse Scala IDE:

  1. Go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, make these updates:
    • Add variable attributes to generated class files
    • Add line number attributes to generated class files
    • Add source file name to generated class files
  2. Go to Project > Properties and select the Scala Compiler properties. Under Standard, set g to vars.

Ant Settings

If you build your project using ant, you must enable the debug property in the javac task by adding the -g:vars parameter to scalac. Add the -g:vars parameter to the addparams attribute. For example:

<target name="build" depends="init">
    <mkdir dir="${build.dir}"   />
    <scalac srcdir="${sources.dir}"
            destdir="${build.dir}"
            addparams="-g:vars
            classpathref="build.classpath">
      <include name="compile/**/*.scala"   />
      <exclude name="forget/**/*.scala"   />
    </scalac>
  </target>

Maven Settings

If you build your project using the scala-maven-plugin for Maven, ensure that the javacGenerateDebugSymbols parameter is set to true, which is the default selection.

Sbt Settings

You can use Sbt from the command line within the source directory to build the project as a JAR, using this command:

sbt 'set scalacOptions += "-g:vars"' compile package

When using the Play framework, you can use the sbt dist task to build the application.

To build and upload your application using the Play framework:

  1. Run one of these commands:
    • From the Play console: dist
    • From the command line: sbt dist
  2. After the command completes successfully, navigate to the directory target/scala-VERSION/.
  3. Upload all JAR artifacts you want to scan.
Note: sbt may also build -sans-externalized versions of individual JAR artifacts. If you upload both artifact versions, duplicate results may occur.

Alternatively, upload the primary ZIP artifact generated by sbt dist in the target/universal/ directory instead of uploading individual JAR artifacts. However, because this ZIP contains many third-party libraries, uploading this ZIP may affect build results.

Veracode does not recommend using the sbt-assembly plugin.

If you use sbt docker, submit the JAR files created as part of the build process, rather than the Docker image itself. These files are stored in the target/ directory after you build the application.

Gradle Settings

To build a Scala project using Gradle, use the Scala plugin. The Scala plugin adds line numbers and local variables to the generated binary artifact. For example:

apply plugin: 'scala'

You can then build the applications with this command:

gradle build