Compilation Instructions for Scala

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Supported Scala Versions

Language Version Compilers Platform
Scala 2.13 and earlier scalac - 2.13 and earlier

javac - 1.6–1.8

JVM 1.6–1.9, 10

The Veracode Platform can analyze Scala applications with or without debug symbols. Providing debug builds of Scala application code allows the Veracode Platform to provide source file and line number information about the location of flaws found. For a successful scan, you cannot obfuscate Scala applications.

Scala applications must be compiled and submitted as JAR files, which can be done within the Eclipse Scala IDE by exporting the project as a JAR file.

Supported Scala Frameworks

Framework Supported Versions
Play 2.0–2.5.x
Akka 2.5

Compilation Guidance

You must compile and submit Scala applications as JAR files without any third-party dependencies within the application code. Submit debug symbols for as much of the application as possible.

Using the standard Scala compiler, at the command line, add the -g option to get debug symbols, for example:

scalac -g:vars foo.scala

Eclipse Scala IDE Settings

If you are developing the project with the Eclipse Scala IDE:

  1. Go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, add the following:
    • Add variable attributes to generated class files
    • Add line number attributes to generated class files
    • Add source file name to generated class files
  2. Go to Project > Properties and select the Scala Compiler properties. Under Standard, set the following:
    • g to vars

Ant Settings

If you build your project using ant, the debug property in the scalac task needs to be enabled by adding the -g:vars parameter to scalac by adding it to the addparams attribute. For example:

<target name="build" depends="init">
    <mkdir dir="${build.dir}"   />
    <scalac srcdir="${sources.dir}"
      <include name="compile/**/*.scala"   />
      <exclude name="forget/**/*.scala"   />

Maven Settings

If you build your project using the scala-maven-plugin for Maven, ensure that the javacGenerateDebugSymbols parameter is set to true, which is the default selection.

Sbt Settings

Sbt can be used from the command line within the source directory to build the project as a JAR:

sbt 'set scalacOptions += "-g:vars"' compile package

When using the Play framework, you can use the sbt dist task to build the application.

To build and upload your application using the Play framework:

  1. Run one of the following commands:
    • From the Play console: dist
    • From the command line: sbt dist
  2. After the command completes successfully, navigate to the directory target/scala-VERSION/.
  3. Upload all JAR artifacts you want to scan.
Note: sbt may also build -sans-externalized versions of individual JAR artifacts. If you upload both artifact versions, duplicate results may occur.

Alternatively, upload the primary ZIP artifact generated by sbt dist in the target/universal/ directory instead of uploading individual JAR artifacts. However, because this ZIP contains many third-party libraries, uploading this ZIP may affect build results.

Veracode does not recommend using the sbt-assembly plugin.

If you use sbt docker, submit the JAR files created as part of the build process, rather than the Docker image itself. These files are stored in the target/ directory after the application is built.

Software Composition Analysis

If you have a Veracode Software Composition Analysis subscription, you can include third-party components in your static analysis submission to report on vulnerabilities in those components. To effectively scan third-party components, the submitted application must also meet the packaging requirements for SCA upload and scan.