Extend java-owasp and java-find-secbugs modules to support kotlin

README.md

@@ -20,6 +20,7 @@ The Hawkeye scanner-cli assumes that your directory structure is such that it ke
 * **Python** projects will have a `requirements.txt` on top level
 * **PHP** projects will have a `composer.lock` on top level
 * **Java** projects will have a `build` (gradle) or `target` (maven) folder, and include `.java` and `.jar` files
+* **Kotlin** projects will have a `build` (gradle) or `target` (maven) folder, and include `.kt` and `.jar` files
 
 This is not exhaustive as sometimes tools require further files to exist. To understand how the modules decide whether they can handle a project, please check the [How it works](https://github.com/hawkeyesec/scanner-cli#how-it-works) section and the [modules](lib/modules) folder.
 
@@ -243,7 +244,7 @@ Modules are basically little bits of code that either implement their own logic,
 * **files-entropy**: Scans files for strings with high entropy that are likely to contain passwords. Entropy scanning is disabled by default because of the high number of false positives. It is useful to scan codebases every now and then for keys, in which case please run it please using the `-m files-entropy` switch.
 * **files-secrets**: Scans for suspicious filenames that are likely to contain secrets
 
-#### Java
+#### Java / Kotlin
 
 * **java-find-secbugs**: Finds common security issues in Java code with findsecbugs
 * **java-owasp**: Scans Java projects for gradle/maven dependencies with known vulnerabilities with the OWASP dependency checker

lib/modules/java-find-secbugs/__tests__/findsecbugs-unit.js

@@ -16,23 +16,37 @@ describe('FindSecBugs Module', () => {
     sinon.stub(exec, 'command').resolves({ stdout: '' })
   })
 
-  it('should handle maven projects', async () => {
-    const target = path.join(__dirname, './sample/maven')
+  it('should handle java maven projects', async () => {
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
 
     expect(await handles(fm)).to.be.true
   })
 
-  it('should handle gradle projects', async () => {
-    const target = path.join(__dirname, './sample/gradle')
+  it('should handle java gradle projects', async () => {
+    const target = path.join(__dirname, './sample/java-gradle')
+    const fm = new FileManager({ target })
+
+    expect(await handles(fm)).to.be.true
+  })
+
+  it('should handle kotlin maven projects', async () => {
+    const target = path.join(__dirname, './sample/kotlin-maven')
+    const fm = new FileManager({ target })
+
+    expect(await handles(fm)).to.be.true
+  })
+
+  it('should handle kotlin gradle projects', async () => {
+    const target = path.join(__dirname, './sample/kotlin-gradle')
     const fm = new FileManager({ target })
 
     expect(await handles(fm)).to.be.true
   })
 
   it('should not run on missing executable', async () => {
     exec.exists.resolves(false)
-    const target = path.join(__dirname, './sample/gradle')
+    const target = path.join(__dirname, './sample/java-gradle')
     const fm = new FileManager({ target })
 
     expect(await handles(fm)).to.be.false
@@ -46,7 +60,7 @@ describe('FindSecBugs Module', () => {
   })
 
   it('should execute findsecbugs with all required arguments', async () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')
@@ -60,7 +74,7 @@ describe('FindSecBugs Module', () => {
   })
 
   it('should parse high priority issues correctly', async () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')
@@ -78,7 +92,7 @@ describe('FindSecBugs Module', () => {
   })
 
   it('should parse medium priority issues correctly', async () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')
@@ -96,7 +110,7 @@ describe('FindSecBugs Module', () => {
   })
 
   it('should parse low priority issues correctly', async () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')
@@ -115,7 +129,7 @@ describe('FindSecBugs Module', () => {
 
   it('should error when findsecbugs errored', () => {
     exec.command.throws(new Error('some error'))
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')
@@ -125,7 +139,7 @@ describe('FindSecBugs Module', () => {
   })
 
   it('should error when no report present ', () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')

lib/modules/java-find-secbugs/index.js

@@ -15,23 +15,26 @@ module.exports = {
   enabled: true,
   handles: async fm => {
     const isJavaProject = fm.all().some(file => file.endsWith('.java'))
+    const isKotlinProject = fm.all().some(file => file.endsWith('.kt'))
+    const isJvmProject = isJavaProject || isKotlinProject
+
     const hasJarFiles = getProjectJars(fm).length > 0
     const exists = await exec.exists('findsecbugs')
 
-    if (isJavaProject && !hasJarFiles) {
+    if (isJvmProject && !hasJarFiles) {
       logger.warn('java files were found but no jar files')
       logger.warn(`${key} scan will not run unless you build the project before`)
       return false
     }
 
-    if (isJavaProject && hasJarFiles && !exists) {
+    if (isJvmProject && hasJarFiles && !exists) {
       logger.warn('java files found but findSecBugs was not found in $PATH')
       logger.warn(`${key} scan will not run unless you install findSecBugs CLI`)
       logger.warn('Installation instructions: https://github.com/Stono/hawkeye/blob/master/lib/modules/java-find-secbugs/README.md')
       return false
     }
 
-    return isJavaProject && hasJarFiles
+    return isJvmProject && hasJarFiles
   },
   run: async fm => {
     const jarFiles = getProjectJars(fm).map(getAbsolutePath(fm)).join(' ')

lib/modules/java-owasp/__tests__/owasp-unit.js

@@ -18,18 +18,28 @@ describe('Java OWASP Dependency Checker Module', () => {
   })
 
   it('should handle maven projects', async () => {
-    const fm = new FileManager({ target: path.join(__dirname, './sample/maven') })
+    const fm = new FileManager({ target: path.join(__dirname, './sample/java-maven') })
     expect(await handles(fm)).to.be.true
   })
 
   it('should handle gradle projects', async () => {
-    const fm = new FileManager({ target: path.join(__dirname, './sample/gradle') })
+    const fm = new FileManager({ target: path.join(__dirname, './sample/java-gradle') })
+    expect(await handles(fm)).to.be.true
+  })
+
+  it('should handle kotlin maven projects', async () => {
+    const fm = new FileManager({ target: path.join(__dirname, './sample/kotlin-maven') })
+    expect(await handles(fm)).to.be.true
+  })
+
+  it('should handle kotlin gradle projects', async () => {
+    const fm = new FileManager({ target: path.join(__dirname, './sample/kotlin-gradle') })
     expect(await handles(fm)).to.be.true
   })
 
   it('should not run on missing executable', async () => {
     exec.exists.resolves(false)
-    const fm = new FileManager({ target: path.join(__dirname, './sample/gradle') })
+    const fm = new FileManager({ target: path.join(__dirname, './sample/java-gradle') })
     expect(await handles(fm)).to.be.false
   })
 
@@ -39,7 +49,7 @@ describe('Java OWASP Dependency Checker Module', () => {
   })
 
   it('should execute dependency check for maven with all required arguments', async () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const buildFolder = 'target'
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
@@ -54,7 +64,7 @@ describe('Java OWASP Dependency Checker Module', () => {
   })
 
   it('should execute dependency check for gradle with all required arguments', async () => {
-    const target = path.join(__dirname, './sample/gradle')
+    const target = path.join(__dirname, './sample/java-gradle')
     const buildFolder = 'build'
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
@@ -69,7 +79,7 @@ describe('Java OWASP Dependency Checker Module', () => {
   })
 
   it('should parse issues correctly', async () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')
@@ -87,7 +97,7 @@ describe('Java OWASP Dependency Checker Module', () => {
   })
 
   it('should not report when no issues are present', async () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(noIssueReport)
     sinon.stub(fm, 'exists')
@@ -103,7 +113,7 @@ describe('Java OWASP Dependency Checker Module', () => {
   })
 
   it('should error when dependency check errored', () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     exec.command = (cmd, pwd, cb) => cb(new Error('some error'))
     const fm = new FileManager({ target })
     sinon.stub(fm, 'exists')
@@ -113,7 +123,7 @@ describe('Java OWASP Dependency Checker Module', () => {
   })
 
   it('should error when no report present ', () => {
-    const target = path.join(__dirname, './sample/maven')
+    const target = path.join(__dirname, './sample/java-maven')
     const fm = new FileManager({ target })
     sinon.stub(fm, 'readFileSync').returns(sampleReport)
     sinon.stub(fm, 'exists')

lib/modules/java-owasp/index.js

@@ -12,23 +12,26 @@ module.exports = {
   enabled: true,
   handles: async fm => {
     const isJavaProject = fm.all().some(file => file.endsWith('.java'))
+    const isKotlinProject = fm.all().some(file => file.endsWith('.kt'))
+    const isJvmProject = isJavaProject || isKotlinProject
+
     const hasJarFiles = getProjectJars(fm).length > 0
     const hasCommand = await exec.exists('dependency-check')
 
-    if (isJavaProject && !hasJarFiles) {
+    if (isJvmProject && !hasJarFiles) {
       logger.warn('java files were found but no jar files')
       logger.warn(`java-owasp scan will not run unless you build the project before`)
       return false
     }
 
-    if (isJavaProject && hasJarFiles && !hasCommand) {
+    if (isJvmProject && hasJarFiles && !hasCommand) {
       logger.warn('java files found but dependency-check was not found in $PATH')
       logger.warn(`java-owasp scan will not run unless you install Owasp Dependency Check CLI`)
       logger.warn('Installation instructions: https://github.com/Stono/hawkeye/blob/master/lib/modules/owaspDependencyCheck/README.md')
       return false
     }
 
-    return isJavaProject && hasJarFiles
+    return isJvmProject && hasJarFiles
   },
   run: async fm => {
     const jarFiles = getProjectJars(fm).map(getAbsolutePath(fm)).join(' -s ')