Does anyone have success with SAST processing Kotlin source?
The language is not in the supported language list but I still expected at least the secret processing to work - perhaps incorrectly?
I was also hopeful SpotBugs would work as it processes at the bytecode level and the OWasp website states the following;
SpotBugs is a static analysis tool that targets Java but also works with Groovy, Scala and Kotlin projects.
When running SAST agaist a Kotlin project it does consider the source as valid and successfully (without error) runs secrets and spotbugs against it.
However for the simple case of hard coding secrets it appears to ignore issues like this
val secretKey: String = "1b27556473e985d462cd51197a9a46c76009549eac6474f206c4ee0844f68389"`
Also the following cipher vulnerability has not been found
val c: Cipher = Cipher.getInstance("AES/ECB/NoPadding")
The equivalent in Java was discovered.
Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
Using the following versions