scala.lang.security.audit.scalac-debug.scalac-debug
semgrepAuthor
unknown
Download Count*
License
Scala applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.
Run Locally
Run in CI
Defintion
rules:
- id: scalac-debug
patterns:
- pattern-either:
- pattern: scalacOptions ... "-Vdebug"
- pattern: scalacOptions ... "-Ydebug"
message: Scala applications built with `debug` set to true in production may
leak debug information to attackers. Debug mode also affects performance
and reliability. Remove it from configuration.
languages:
- generic
severity: WARNING
paths:
include:
- "*.sbt*"
metadata:
category: security
cwe:
- "CWE-489: Active Debug Code"
owasp: A05:2021 - Security Misconfiguration
technology:
- scala
- sbt
references:
- https://docs.scala-lang.org/overviews/compiler-options/index.html
confidence: MEDIUM
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Active Debug Code
Examples
scalac-debug.sbt
name := """seed1"""
organization := "testing"
version := "1.0-SNAPSHOT"
lazy val root = (project in file(".")).enablePlugins(PlayScala)
scalaVersion := "2.13.8"
libraryDependencies += guice
libraryDependencies += "org.scalatestplus.play" %% "scalatestplus-play" % "5.0.0" % Test
libraryDependencies += ws
// ok: scalac-debug
scalacOptions ++= Seq(
"-no-specialization"
)
// ruleid: scalac-debug
scalacOptions ++= Seq(
"-encoding", "utf8", // Option and arguments on same line
"-Xfatal-warnings", // New lines for each options
"-deprecation",
"-Vdebug",
"-language:implicitConversions",
"-language:higherKinds",
"-language:existentials",
"-language:postfixOps"
)
// ok: scalac-debug
scalacOptions ++= Seq(
"-Xsource-reader", "CLASSNAME",
"-opt-inline-from", "PATTERNS1"
)
// ruleid: scalac-debug
scalacOptions += "-Ydebug"
Short Link: https://sg.run/QbGd