Compilation Instructions for Scala

Compilation Guide

See the master compilation guidelines for instructions for other platforms.

Supported Scala Versions

Language Version Compilers Platform
Scala 2.13 and earlier scalac - 2.13 and earlier

javac - 1.6-1.8

JVM 1.6-1.9, 10

The Veracode Platform can analyze Scala applications with or without debug symbols. Providing debug builds of Scala application code allows the Veracode Platform to provide source file and line number information about the location of flaws found. For a successful scan, you cannot obfuscate Scala applications.

Scala applications must be compiled and submitted as JAR files, which can be done within the Eclipse Scala IDE by exporting the project as a JAR file.

Supported Scala Frameworks

Framework Supported Versions
Play 2.0-2.5.x
Akka 2.5

Compilation Guidance

You must compile and submit Scala applications as JAR files without any third-party dependencies within the application code. Submit debug symbols for as much of the application as possible.

Using the standard Scala compiler, at the command line, add the -g option to get debug symbols, for example:

scalac -g:vars foo.scala

Eclipse Scala IDE Settings

If you are developing the project with the Eclipse Scala IDE:

  1. Go to Project > Properties and select the Java Compiler properties. Under Classfile Generation, add the following:
    • Add variable attributes to generated class files
    • Add line number attributes to generated class files
    • Add source file name to generated class files
  2. Go to Project > Properties and select the Scala Compiler properties. Under Standard, set the following:
    • g to vars

Ant Settings

If you build your project using ant, the debug property in the scalac task needs to be enabled by adding the -g:vars parameter to scalac by adding it to the addparams attribute. For example:

<target name="build" depends="init">
    <mkdir dir="${build.dir}"   />
    <scalac srcdir="${sources.dir}"
      <include name="compile/**/*.scala"   />
      <exclude name="forget/**/*.scala"   />

Maven Settings

If you build your project using the scala-maven-plugin for Maven, ensure that the javacGenerateDebugSymbols parameter is set to true, which is the default selection.

Sbt Settings

Sbt can be used from the command line within the source directory to build the project as a JAR:

sbt 'set scalacOptions += "-g:vars"' compile package

When using the Play framework, the sbt dist task can be used by typing the dist command from the Play console, which produces a JAR file containing all of the files required for analysis.

Veracode does not recommend using the sbt-assembly plugin.

If you use sbt docker, submit the JAR files created as part of the build process, rather than the docker image itself. These files are stored in the target/ directory after the application is built.