SAST Kotlin analysis working?

Does anyone have success with SAST processing Kotlin source?

The language is not in the supported language list but I still expected at least the secret processing to work - perhaps incorrectly?

I was also hopeful SpotBugs would work as it processes at the bytecode level and the OWasp website states the following;

SpotBugs is a static analysis tool that targets Java but also works with Groovy, Scala and Kotlin projects.

When running SAST agaist a Kotlin project it does consider the source as valid and successfully (without error) runs secrets and spotbugs against it.

However for the simple case of hard coding secrets it appears to ignore issues like this

val secretKey: String = "1b27556473e985d462cd51197a9a46c76009549eac6474f206c4ee0844f68389"`


Also the following cipher vulnerability has not been found

val c: Cipher = Cipher.getInstance("AES/ECB/NoPadding")


The equivalent in Java was discovered.

Cipher c = Cipher.getInstance("AES/ECB/NoPadding");


Using the following versions
Gilab 12.03-ee
SAST 12-0-stable
Spotbugs 2
Secrets 2

1 Like

I do not think Kotlin is supported in GitLab SAST.

Relevant issue:

It would be helpful if you pasted your SAST log :smile:

Thanks for your response @tnir.

I’ve since moved on work wise so don’t have the logs readily available.

But the logs would just show successful analysis without hitting any example vulnerabilities.

See my last post - an equivalent Java vulnerability written in Kotlin would just be ignored and the tests pass cleanly.

1 Like