Any plans to support kotlin?

[Aditya94A]

😁

[ice1000]

I tried using this to analyze my kotlin codes, no effect. Only bugs in Java codes are displayed.

[h3xstream]

I have been developing in Kotlin for few projects. Looking at the bytecode, I would say that this JVM language is by far the easiest to support if compare to Scala or Groovy.

• Add analog API to specified in detectors that need it.
• Modify plugins for IDE and CI would need to implements a multi-languages support.

[davidgoate]

@ice1000 you say

I tried using this to analyze my kotlin codes, no effect

For some reason I do have effects from this, just not ones I desired.

On this input class:

data class CSVRecord(private val columns: SortedSet<CSVColumn>) : Iterable<String> {

    override fun iterator(): Iterator<String> {
        return columns.map { it.value }.iterator()
    }
}

I get:

ERROR] Private method com.example.CSVRecord.component1() is never called [com.example.CSVRecord] In CSVRecord.kt UPM_UNCALLED_PRIVATE_METHOD

and many instances of Questionable cast from Collection to abstract class java.util.List (BC_BAD_CAST_TO_ABSTRACT_COLLECTION). On code such as:

override fun iterator(): Iterator<String> {
        return columns.map { it.value }.iterator()
    }

Not sure whether the latter is actually my mistake or not.

[jolkdarr]

Hi
FYI, there is a tool that may help to analyse Kotlin files:
https://github.com/arturbosch/detekt

[xenoterracide]

detekt says it uses the kotlin parse tree, where spotbugs is bytecode analysis.

[dnsbtchr]

Hey, any news in this area? We use the find-sec-bugs plugin and would love to use it for our Kotlin projects as well.

[ThrawnCA]

Theoretically it is possible to run SpotBugs on any Java bytecode. In practice, Kotlin probably generates patterns that SpotBugs doesn't like, but you could probably just write exclusion rules for them.

[dnsbtchr]

So I just ran SpotBugs with it's Maven plugin on a project which contains Java and Kotlin. I added Java class with a know bug pattern from the findsecbugs plugin to the project and SpotBugs complained about it (as I expected it to). Then I converted the same class to Kotlin and it didn't complain. Is that the expected behaviour? From your answer I'd rather expect it to complain maybe about other weird things on top of the actual issue or did I get that wrong? 🤔

[ThrawnCA]

Depends on exactly what byte code it generated. Maybe Kotlin avoids whatever the bug was?

[dnsbtchr]

I doubt it because I used this code and I don't know what Kotlin could do to prevent the issue.
String generateSecretToken() { Random r = new Random(); return Long.toHexString(r.nextLong()); }
It's from https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM

[gtoison]

If anyone is interested I've got a pull request to use SpotBugs to analyze Kotlin in the SonarQube plugin; spotbugs/sonar-findbugs#569
I've tested by analyzing the https://github.com/detekt/detekt and https://github.com/jitsi/jitsi-videobridge projects and the issues detected seem to make sense for the most part.
I don't know Kotlin so it would be appreciated if anyone could try this out and give feedback, please let me know if you're interested.

The tricky part is that due to the Kotlin compilation process, the bytecode in a .class file might be from different source files, so I needed to analyse the SMAP section to find which line comes from which source file (and the corresponding line).
In particular SpotBugs detects a lot of issues in bytecode that is actually from the Kotlin arrays and collections built-in classes.

[tianyu]

For what it's worth, I tried it out and spotbugs seems to work: https://github.com/tianyu/spotbugs-with-kotlin

[gtoison]

Thanks for the feedback!
Unless someone thinks otherwise I suppose that we can close this issue.