Endor Labs for Scala

Learn how to implement Endor Labs in repositories with Scala packages.

Scala is a general-purpose and scalable programming language widely used by developers. Endor Labs supports the scanning and monitoring of Scala projects managed by the interactive build tool sbt.

Using Endor Labs, developers can:

  • Test their software for potential issues and violations of organizational policy
  • Prioritize vulnerabilities in the context of their applications
  • Understand the relationships between software components in their applications

Scan Scala projects

To successfully scan your Scala applications:

Install software prerequisites

The following prerequisites must be fulfilled:

  • A manifest file for the Scala build tool, build.sbt must be present in your repository.
  • If your sbt version is lower than 1.4, you must install the sbt-dependency-graph plugin. The sbt-dependency-graph plug-in is by default integrated into the sbt versions 1.4 and higher.
  • Make sure that the project/build.properties file has the required sbt version.
  • Make sure that your system has minimum 8-core processor with 32 GB RAM to successfully scan Scala projects.

Build Scala projects

You can choose to build your Scala projects before running a scan. The standard .sbt cache must exist and contain successfully downloaded dependencies.

  1. Ensure your repo has build.sbt file and run the following commands making sure it builds the project successfully.
sbt compile
sbt projects
  1. Make sure sbt dependencyTree runs successfully inside the project directory.

Run a scan

Perform a scan to get visibility into your software composition and resolve dependencies.

endorctl scan

You can perform the scan from within the root directory of the git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Understand the scan process

Endor Labs scans Scala projects by executing sbt plugins and inspecting the build.sbt file to retrieve information about direct and transitive dependencies.

  • The build.sbt file is a configuration file used in Scala projects with sbt to define project settings, dependencies, and build tasks. This file provides the necessary configuration and instructions to sbt on resolving and managing project dependencies.

  • The sbt dependency graph plugin visualizes the dependencies between modules in a Scala project.

Endor Labs analyzes information from both these methods to determine different components, binary files, manifest files, images, and more in the Scala codebase and presents finding policy violations, identifying, and resolving dependencies.

Using Endor Labs users can gain significant insights into the structure and relationships of their Scala project’s dependencies, aiding in managing dependencies effectively, identifying potential issues, and ensuring a well-organized and maintainable codebase.

Known Limitations

  • Call graphs are not supported for Scala projects.
  • Software composition analysis for Scala on Microsoft Windows operating systems is currently unsupported.

Troubleshoot errors

Here are a few error scenarios that you can check for and attempt to resolve them.

  • Host system check failure errors: These errors occur if:
    • If sbt is not installed or present in the path variable. Install SBT 1.4 or higher versions and try again.
    • If the sbt version mentioned in the project or the build.properties file is lower than 1.4 and sbt-dependency-graph plug-in is not installed. Install the sbt-dependency-graph and try again.