Skip to content

Delveline is a Code Vulnerability Analyzer for Java and Kotlin that supports best practices in security and risk management.

Notifications You must be signed in to change notification settings

hangga/delvelin

Repository files navigation

Delvelin Scan Demo

Java Kotlin Gradle Plugin CWE CVSS OSV.dev License

Delveline is a tool for Kotlin and Java developers that identifies and categorizes vulnerabilities, helping teams align with security standards like ISO 27001 and improve code security.

Jump ahead:


Delvelin Scan Demo

1. How it Works

Delveline is a specialized tool designed for Kotlin and Java developers, helping identify and categorize software vulnerabilities effectively. By leveraging the CWE (Common Weakness Enumeration) framework and detecting CVE (Common Vulnerabilities and Exposures), Delveline bridges the gap between secure software development and industry standards like ISO 27001.

Aligned with ISO 27001’s focus on information security and risk management, Delveline provides actionable insights into vulnerabilities within source code and dependencies specific to Kotlin and Java projects. While not a standalone security solution, it serves as a valuable aid in achieving compliance by offering clear categorization of risks and practical guidance for remediation.

We leverage:

  • CWE (Common Weakness Enumeration): A global standard for identifying and categorizing vulnerabilities.
  • OSV (Open Source Vulnerabilities): A comprehensive database for open-source vulnerability information.
  • ISO/IEC 27001 Alignment: Supporting security awareness and risk management practices aligned with global information security standards.

Delveline empowers Kotlin and Java teams to develop secure and resilient applications while aligning their development practices with global security standards.

2. Example Output

Or view example in HTML Format

Disclaimer: Delveline may not identify all vulnerabilities but serves as a powerful first step in securing your codebase.

3. Integrating Delvelin

To integrate delvelin in Java/Kotlin project, we can use two ways. Choose the way that suits your project needs:

3.1. Using Delvelin Gradle Plugin

Add the plugin to your Gradle project.

KTS

plugins {
    id("io.github.hangga.delvelin") version "0.2.0-beta"
}

Groovy

plugins {
    id 'io.github.hangga.delvelin' version '0.2.0-beta'
}

Configuration

Configure Delvelin using the delvelin extension.

delvelin {
    outputFileFormat = 'JSON' // Options: LOG, JSON, HTML
    showSaveDialog = false
}
Configuration Option Description Default Value
setOutputFormat Set the output format of the analysis (e.g., HTML, JSON, or LOG). LOG
setAutoLaunchBrowser Automatically open the generated HTML report in the browser. Set to false to disable. false
setShowSaveDialog Display a save dialog for HTML and JSON reports. Set to false to disable. false

Running Delvelin Analyzer

On Local Machine

Run the delvelinScan task to analyze your project:

./gradlew delvelinScan

Delvelin Scan Demo

If we are using Intellij IDEA, we can also use the gradle menu in the sidebar:

sidebar

On Gitlab CI

Add delvelinScan gradle task to our pipeline configuration, for example:

stages:
  - test

gradle-scan:
  stage: test
  image: gradle:7.6-jdk8
  script:
    - gradle delvelinScan
  only:
    - main
    - develop

3.2. Using Delvelin Library

We can use the Delvelin library just like any other Kotlin/Java library. It offers a more flexible way with additional configuration.

Gradle

repositories {
    maven { url 'https://repo.repsy.io/mvn/hangga/repo' }
}

dependencies {
    testImplementation('io.github.hangga:delvelin-plugin:0.2.0-beta')
}

Maven

<repository>
    <id>hangga-repsy-repo</id>
    <url>https://repo.repsy.io/mvn/hangga/repo</url>
</repository>

<dependency>
    <groupId>io.github.hangga</groupId>
    <artifactId>delvelin-plugin</artifactId>
    <version>0.2.0-beta</version>
    <scope>test</scope>
</dependency>

Best Practices

It is highly recommended to run the Delvelin library in unit tests to keep your production classes clean. You can also run it in the main class or the project’s main package, but this is not advised.

Here’s an example of a unit test to instantiate and run Delvelin:

@Test
fun `vulnerability test`() {
    Delvelin()
        .setOutputFormat(OutputFileFormat.HTML)
        .setAutoLaunchBrowser(true) // Automatically opens the browser for HTML format
        .setAllowedExtensions(".java") // By default, it supports .java, .kt, .gradle, .kts, and .xml
        .setShowSaveDialog(true) // Only applicable for HTML & JSON formats
        .setShowDate(true) // For Console LOG format
        .scan()
}

Usage on Android

To log messages in LogCat, you can use a custom listener like this:

@Test
fun `vulnerability test with custom listener for android`() {
    Delvelin().setLogListener(object : LogListener {
        override fun onGetLog(s: String) {
            Log.d("DelvelinLog", s)
        }

        override fun onGetLog(stringBuffer: StringBuffer) {
            Log.d("DelvelinLog", stringBuffer.toString())
        }
    }).scan()
}

Alternative Examples

@Test
fun `vulnerability test`() {
    Delvelin()
        .setOutputFormat(OutputFileFormat.HTML)
        .setAutoLaunchBrowser(true) // Automatically opens the browser for HTML format
        .scan()
}

@Test
fun `vulnerability test with save dialog`() {
    Delvelin()
        .setOutputFormat(OutputFileFormat.HTML)
        .setShowSaveDialog(true) // Only applicable for HTML & JSON formats
        .scan()
}

Delvelin Scan Demo

Usage with Custom Detector

Below is an example of how to use Delvelin with a custom detector ExampleCustomDetector.

Step-by-step

  1. Create a custom detector class like ExampleCustomDetector.
  2. Add detection implementation in the detect(line: String, lineNumber: Int) and detect(content: String) methods.
  3. Create a test function that sets the output format, adds the custom detector, and runs the scan.

Example Custom Detector

The following custom detector detects a specific pattern in the code. It checks each line of code and the entire content to find the pattern called examplePattern.

class ExampleCustomDetector : BaseDetector() {

    init {
        this.vulnerabilities = Vulnerabilities.UNSAFE_REFLECTION
    }

    override fun detect(line: String, lineNumber: Int) {
        // Implementation of line-based detection
        if (line.contains("examplePattern")) {
            val specificLocation = specificLocation(lineNumber)
            setValidVulnerability(
                specificLocation,
                "Example finding",
                "Detected example pattern in the code"
            )
        }
    }

    override fun detect(content: String) {
        // Implementation of full content-based detection
        if (content.contains("examplePattern")) {
            val specificLocation = specificLocation(-1) // -1 to denote whole content
            setValidVulnerability(
                specificLocation,
                "Example finding",
                "Detected example pattern in the full content"
            )
        }
    }
}

Using Custom Detector in Tests

Here is an example test that uses ExampleCustomDetector with Delvelin. This test sets the output format to HTML and adds the custom detector before running the scan.

@Test
fun `test using your own custom detector`() {
    Delvelin().setOutputFormat(OutputFileFormat.HTML)
        .addCustomDetector(ExampleCustomDetector())
        .scan()
}

Configuration Options

Configuration Option Description Default Value
setOutputFormat(OutputFileFormat format) Set the output format of the analysis (e.g., HTML, JSON, or LOG). LOG
setAllowedExtensions(String... values) Specify file extensions to include in the analysis. By default, allows .java, .kt, .gradle, .kts, and .xml. [".java", ".kt", ".gradle", ".kts", ".xml"]
setAutoLaunchBrowser(boolean value) Automatically open the generated HTML report in the browser. Set to false to disable. false
setShowSaveDialog(boolean value) Display a save dialog for HTML and JSON reports. Set to false to disable. false
setLogListener(LogListener listener) Set a custom listener for capturing logs during analysis (useful for Android integration). null
addCustomDetector(BaseDetector detector) Add your own custom detector to identify specific patterns or vulnerabilities in the code. null

Important Notes If you choose the JSON or HTML output format, you must use either setAutoLaunchBrowser or setShowSaveDialog. These methods ensure that the output is handled properly.

4. License

This project is licensed under MIT License.

5. Contributing

Contributions are welcome! Feel free to submit issues or pull requests for new features or improvements.

This project is still a work in progress, and your contributions are highly valuable in helping us improve and refine it.

If you find this project useful and would like to support its development, we would greatly appreciate your donations. Your generosity will go a long way in ensuring the growth and sustainability of this initiative.


ko-fi

Support via PayPal

Thank you for your support!

Connect

Feel free to reach out for questions, suggestions, or contributions: