Delveline is a tool for Kotlin and Java developers that identifies and categorizes vulnerabilities, helping teams align with security standards like ISO 27001 and improve code security.
Delveline is a specialized tool designed for Kotlin and Java developers, helping identify and categorize software vulnerabilities effectively. By leveraging the CWE (Common Weakness Enumeration) framework and detecting CVE (Common Vulnerabilities and Exposures), Delveline bridges the gap between secure software development and industry standards like ISO 27001.
Aligned with ISO 27001’s focus on information security and risk management, Delveline provides actionable insights into vulnerabilities within source code and dependencies specific to Kotlin and Java projects. While not a standalone security solution, it serves as a valuable aid in achieving compliance by offering clear categorization of risks and practical guidance for remediation.
We leverage:
- CWE (Common Weakness Enumeration): A global standard for identifying and categorizing vulnerabilities.
- OSV (Open Source Vulnerabilities): A comprehensive database for open-source vulnerability information.
- ISO/IEC 27001 Alignment: Supporting security awareness and risk management practices aligned with global information security standards.
Delveline empowers Kotlin and Java teams to develop secure and resilient applications while aligning their development practices with global security standards.
Or view example in HTML Format
Disclaimer: Delveline may not identify all vulnerabilities but serves as a powerful first step in securing your codebase.
To integrate delvelin in Java/Kotlin project, we can use two ways. Choose the way that suits your project needs:
Add the plugin to your Gradle project.
plugins {
id("io.github.hangga.delvelin") version "0.2.0-beta"
}
plugins {
id 'io.github.hangga.delvelin' version '0.2.0-beta'
}
Configure Delvelin using the delvelin
extension.
delvelin {
outputFileFormat = 'JSON' // Options: LOG, JSON, HTML
showSaveDialog = false
}
Configuration Option | Description | Default Value |
---|---|---|
setOutputFormat |
Set the output format of the analysis (e.g., HTML , JSON , or LOG ). |
LOG |
setAutoLaunchBrowser |
Automatically open the generated HTML report in the browser. Set to false to disable. |
false |
setShowSaveDialog |
Display a save dialog for HTML and JSON reports. Set to false to disable. |
false |
Run the delvelinScan
task to analyze your project:
./gradlew delvelinScan
If we are using Intellij IDEA, we can also use the gradle menu in the sidebar:
Add delvelinScan
gradle task to our pipeline configuration, for example:
stages:
- test
gradle-scan:
stage: test
image: gradle:7.6-jdk8
script:
- gradle delvelinScan
only:
- main
- develop
We can use the Delvelin library just like any other Kotlin/Java library. It offers a more flexible way with additional configuration.
repositories {
maven { url 'https://repo.repsy.io/mvn/hangga/repo' }
}
dependencies {
testImplementation('io.github.hangga:delvelin-plugin:0.2.0-beta')
}
<repository>
<id>hangga-repsy-repo</id>
<url>https://repo.repsy.io/mvn/hangga/repo</url>
</repository>
<dependency>
<groupId>io.github.hangga</groupId>
<artifactId>delvelin-plugin</artifactId>
<version>0.2.0-beta</version>
<scope>test</scope>
</dependency>
It is highly recommended to run the Delvelin library in unit tests to keep your production classes clean. You can also run it in the main class or the project’s main package, but this is not advised.
Here’s an example of a unit test to instantiate and run Delvelin:
@Test
fun `vulnerability test`() {
Delvelin()
.setOutputFormat(OutputFileFormat.HTML)
.setAutoLaunchBrowser(true) // Automatically opens the browser for HTML format
.setAllowedExtensions(".java") // By default, it supports .java, .kt, .gradle, .kts, and .xml
.setShowSaveDialog(true) // Only applicable for HTML & JSON formats
.setShowDate(true) // For Console LOG format
.scan()
}
To log messages in LogCat, you can use a custom listener like this:
@Test
fun `vulnerability test with custom listener for android`() {
Delvelin().setLogListener(object : LogListener {
override fun onGetLog(s: String) {
Log.d("DelvelinLog", s)
}
override fun onGetLog(stringBuffer: StringBuffer) {
Log.d("DelvelinLog", stringBuffer.toString())
}
}).scan()
}
@Test
fun `vulnerability test`() {
Delvelin()
.setOutputFormat(OutputFileFormat.HTML)
.setAutoLaunchBrowser(true) // Automatically opens the browser for HTML format
.scan()
}
@Test
fun `vulnerability test with save dialog`() {
Delvelin()
.setOutputFormat(OutputFileFormat.HTML)
.setShowSaveDialog(true) // Only applicable for HTML & JSON formats
.scan()
}
Below is an example of how to use Delvelin with a custom detector ExampleCustomDetector
.
- Create a custom detector class like
ExampleCustomDetector
. - Add detection implementation in the
detect(line: String, lineNumber: Int)
anddetect(content: String)
methods. - Create a test function that sets the output format, adds the custom detector, and runs the scan.
The following custom detector detects a specific pattern in the code. It checks each line of code and the entire content to find the pattern called examplePattern
.
class ExampleCustomDetector : BaseDetector() {
init {
this.vulnerabilities = Vulnerabilities.UNSAFE_REFLECTION
}
override fun detect(line: String, lineNumber: Int) {
// Implementation of line-based detection
if (line.contains("examplePattern")) {
val specificLocation = specificLocation(lineNumber)
setValidVulnerability(
specificLocation,
"Example finding",
"Detected example pattern in the code"
)
}
}
override fun detect(content: String) {
// Implementation of full content-based detection
if (content.contains("examplePattern")) {
val specificLocation = specificLocation(-1) // -1 to denote whole content
setValidVulnerability(
specificLocation,
"Example finding",
"Detected example pattern in the full content"
)
}
}
}
Here is an example test that uses ExampleCustomDetector
with Delvelin. This test sets the output format to HTML and adds the custom detector before running the scan.
@Test
fun `test using your own custom detector`() {
Delvelin().setOutputFormat(OutputFileFormat.HTML)
.addCustomDetector(ExampleCustomDetector())
.scan()
}
Configuration Option | Description | Default Value |
---|---|---|
setOutputFormat(OutputFileFormat format) |
Set the output format of the analysis (e.g., HTML , JSON , or LOG ). |
LOG |
setAllowedExtensions(String... values) |
Specify file extensions to include in the analysis. By default, allows .java , .kt , .gradle , .kts , and .xml . |
[".java", ".kt", ".gradle", ".kts", ".xml"] |
setAutoLaunchBrowser(boolean value) |
Automatically open the generated HTML report in the browser. Set to false to disable. |
false |
setShowSaveDialog(boolean value) |
Display a save dialog for HTML and JSON reports. Set to false to disable. |
false |
setLogListener(LogListener listener) |
Set a custom listener for capturing logs during analysis (useful for Android integration). | null |
addCustomDetector(BaseDetector detector) |
Add your own custom detector to identify specific patterns or vulnerabilities in the code. | null |
Important Notes If you choose the JSON or HTML output format, you must use either
setAutoLaunchBrowser
orsetShowSaveDialog
. These methods ensure that the output is handled properly.
This project is licensed under MIT License.
Contributions are welcome! Feel free to submit issues or pull requests for new features or improvements.
This project is still a work in progress, and your contributions are highly valuable in helping us improve and refine it.
If you find this project useful and would like to support its development, we would greatly appreciate your donations. Your generosity will go a long way in ensuring the growth and sustainability of this initiative.
Thank you for your support!
Feel free to reach out for questions, suggestions, or contributions:
- 📧 Email: [email protected]
- 🌐 GitHub Repository