1 of 51

Soteria

Security and consistency all in one.

Made by Leo Benkel

By Leo Benkel

2 of 51

Leo Benkel

Senior Data Engineer

Demandbase is hiring in SF, Seattle

leobenkel.com

2

leobenkel

Made by Leo Benkel

By Leo Benkel

3 of 51

Agenda

Write good scala code
Soteria

3

Made by Leo Benkel

By Leo Benkel

4 of 51

Write good Scala code

Vulnerabilities
Code Style / Practices
Unit test

4

Made by Leo Benkel

By Leo Benkel

5 of 51

Vulnerabilities

5

Made by Leo Benkel

By Leo Benkel

6 of 51

Example of vulnerabilities

https://www.sourceclear.com/vulnerability-database/security/remote-code-execution/java/sid-22908

6

Made by Leo Benkel

By Leo Benkel

7 of 51

Remote code execution in jackson-databind

7

Made by Leo Benkel

By Leo Benkel

8 of 51

8

Made by Leo Benkel

By Leo Benkel

9 of 51

Solution on how to resolve the issue

9

Made by Leo Benkel

By Leo Benkel

10 of 51

How to make sure

all projects, all teams,

are using the right versions ?

10

Made by Leo Benkel

By Leo Benkel

11 of 51

Why would we want that?

Security audit

The faster the auditor can assess your company, the better.

If every single projects are guaranteed to follow the same rules, it is straightforward.

11

Made by Leo Benkel

By Leo Benkel

12 of 51

Code styling

12

Made by Leo Benkel

By Leo Benkel

13 of 51

Consistency

13

Made by Leo Benkel

By Leo Benkel

14 of 51

Consistency!

ScalaFMT

Automatic reformat
IntelliJ support

ScalaStyle

Naming convention
Method length / Class size / Number of methods

ScalaFix

No vars, No return
Unused
Explicit return type

14

Made by Leo Benkel

By Leo Benkel

15 of 51

Why consistency?

Easier ramping time for new employees

If you only have one system to teach, it is much easier for employees to ramp up for each and every projects across your enterprise.

This also apply to internal team changes.

15

Made by Leo Benkel

By Leo Benkel

16 of 51

Unit test

16

Made by Leo Benkel

By Leo Benkel

17 of 51

Measure unit test?

Coveralls

How much code is executed during tests?

Stryker

Are my tests testing anything?

17

Made by Leo Benkel

By Leo Benkel

18 of 51

Soteria

18

Made by Leo Benkel

By Leo Benkel

19 of 51

https://github.com/leobenkel/Soteria

19

Made by Leo Benkel

By Leo Benkel

20 of 51

https://github.com/leobenkel/Soteria

20

Made by Leo Benkel

By Leo Benkel

21 of 51

Soteria's features

Block compilation when not compliant
Enforce library version
Forbid dependencies
Dependency override automated
Code styling
Unit test coverage
Fat jar building

21

Made by Leo Benkel

By Leo Benkel

22 of 51

Configuration

22

Made by Leo Benkel

By Leo Benkel

23 of 51

soteria.json

{

"dockerImage": "openjdk:8-jre",

"modules": { ??? },

"scalaCFlags": ["-Ywarn-unused", "-Ywarn-unused-import", "-Ywarn-dead-code", ...],

"sbtVersion": "1.2.6",

"scalaVersions": ["2.12.7", "2.11.12"]

}

Image to use to build fat-jar
Module dependencies and enforcement, version rules, etc…
Compilation flags
SBT version
Scala version

23

Made by Leo Benkel

By Leo Benkel

24 of 51

Where is the configuration located?

soteriaConfPath := "soteria.json"

By default it will search for "soteria.json" but you can point it to any other files or even URL.

24

Made by Leo Benkel

By Leo Benkel

25 of 51

Packaged plugins

25

Made by Leo Benkel

By Leo Benkel

26 of 51

Packaged sbt plugin - Code style

"com.geirsson" % "sbt-scalafmt"

Automatic reformat
IntelliJ support

"org.scalastyle" %% "scalastyle-sbt-plugin"

Naming convention
Method length / Class size / Number of methods

"ch.epfl.scala" % "sbt-scalafix"

No vars, No return
Unused
Explicit return type

26

Made by Leo Benkel

By Leo Benkel

27 of 51

Packaged sbt plugin - For test

"org.scoverage" % "sbt-scoverage"
"org.scoverage" % "sbt-coveralls"

How much code is executed during tests?

"io.stryker-mutator" % "sbt-stryker4s"

Are my tests testing anything?

27

Made by Leo Benkel

By Leo Benkel

Enforce good testing practices

Coverall will report the percent of line of code executed when running your unit test.

But unit test are code too. How to make sure your unit test are testing the right things.

You can write unit test for unit test !

Or you can use Stryker.

It is using mutators to go into your code and change bits and pieces. For each changes , it runs your entire test suite.

For your project to get 100% score, each of those changes should have break at least one of your unit test.

For unit testing

Pre included for you

And some command have been added to make the usage more intuitive, we are not going to talk about those today but just so you know there are there. There are in the README too.

You just have to call one command to run all the test command to run and publish your coveralls results. It also makes sure your env key is there, etc...

28 of 51

Fat-jar build

28

Made by Leo Benkel

By Leo Benkel

29 of 51

Packaged sbt plugin - Fat jar

assemblyOption in assembly := soteriaAssemblySettings.value

enablePlugins(DockerPlugin)

"com.eed3si9n" % "sbt-assembly"
"se.marcuslonnberg" % "sbt-docker"

29

Made by Leo Benkel

By Leo Benkel

30 of 51

Docker image

"dockerImage": "openjdk:8-jre"

30

Made by Leo Benkel

By Leo Benkel

31 of 51

Library A

Library with vulnerabilities

Pull

Safe version of the library

Made by Leo Benkel

By Leo Benkel

40 of 51

Replace a dependency

40

Library A

Pull

Safe version of the library

Made by Leo Benkel

By Leo Benkel

41 of 51

Replace a dependency

{

"modules": {

"group.id": {

"artifact-name": {

"version": "1.2.3",

"dependenciesToRemove": [

"com.danger | risky_artifact"

]

}

},

"com.danger": {

"risky_artifact": {

"version": "5.6.7"

}

41

Made by Leo Benkel

By Leo Benkel

42 of 51

Replace a dependency

{

"modules": {

"group.id": {

"artifact-name": {

"version": "1.2.3",

"dependenciesToRemove": [

"com.danger | risky_artifact"

]

}

},

"com.danger": {

"risky_artifact": {

"version": "5.6.7",

"overrideIsEnough": false

}

42

Made by Leo Benkel

By Leo Benkel

43 of 51

Replace a dependency

{

"modules": {

"group.id": {

"artifact-name": {

"version": "1.2.3",

"dependenciesToRemove": [

"com.danger | risky_artifact"

]

}

},

"com.danger": {

"risky_artifact": {

"version": "None",

"overrideIsEnough": false

}

43

Made by Leo Benkel

By Leo Benkel

44 of 51

How to build dependenciesToRemove

44

Made by Leo Benkel

By Leo Benkel

45 of 51

Generate the tree of dependenciesToRemove

sbt soteriaDebugAllModules

45

Made by Leo Benkel

By Leo Benkel

46 of 51

What does it do ?

Remove all the dependencies from your build.sbt
List all the known libraries from your config file
Add one library at a time, compile and get the fetched dependencies
Compare the fetch dependencies with the known dependencies from your config file
When all the libraries have been reviewed, the plugin will display a new json payload that you can just copy paste with all the dependenciesToRemove set to the knowledge you have in your json.

46

Made by Leo Benkel

By Leo Benkel

47 of 51

I can't do it all at once !

47

Made by Leo Benkel

By Leo Benkel

48 of 51

How to progressively get to compliance?

soteriaSoft := true

soteriaSoftOnCompilerWarning := true

Turn the compilation errors into warnings
Remove -Xfatal-warning from the scalaCOptions.

48

Made by Leo Benkel

By Leo Benkel

49 of 51

What next?

49

Made by Leo Benkel

By Leo Benkel

50 of 51

What next?

https://github.com/leobenkel/Soteria/issues
Read from sbt file instead of json
Git hooks

50

Made by Leo Benkel

By Leo Benkel

51 of 51

Thank you !

Questions?

51

Made by Leo Benkel

By Leo Benkel