Is anyone aware of a tool that will scan for possible security violations in Kotlin code similar to how Checkmarx works? Note: I’m not talking about a linter, I’m talking about something that looks for things like possible XSS or SQL Injection type attacks. The company I work for pretty much requires something like this for production code, and not being able to find one for Kotlin might stop (or slow down) my team’s planned adoption.
You can use tools that work by analyzing bytecode, not source code; such tools should work well with Kotlin-compiled classes. As far as I know, no security scanning tools understand Kotlin source code at this time.
Hi Yole, what’s the status on this? Do you know if any Kotlin security scanners have been developed in the last year?
I’m not aware of any, but I haven’t been specifically looking for them.
A few months ago an HP Fortify rep told someone at my company that adding support for Kotlin was on their roadmap. I have no idea what that really means as far as the likelihood of that really happening or the possible timeframe though.
Checkmarx 8.9.0 will have support for Kotlin up to 1.2.0: https://checkmarx.atlassian.net/wiki/spaces/KC/pages/929039280/Release+Notes+for+Version+8.9.0.
This is only for Kotlin Android support, there are no rules for non-Android Kotlin code. This is from Checkmarx 8.9.0:
.
We are struggling to find a secure code scanning tool that supports Kotlin. Any updates?