The need for the sbt plugin is due to the fact that there is no way for us to understand the dependencies, other languages and package managers have a way to give us this list (such as a lockfile), but sbt does not. Therefore, the use of the plugin is to understand and get a view of the relationship between the different dependencies.
The following steps are required:
- Install Homebrew
Homebrew will be used to install both sbt and scala - Install sbt then run sbt by typing sbt in the CLI
- Install scala
- Install the sbt dependency graph plugin
- Configure sbt dependency graph plugin
1. Install Homebrew (Homebrew will allow you to install sbt and scala)
- In your browser navigate to: brew.sh
- Copy the command displayed under the “Install Homebrew” banner
- Paste that command into the command line in terminal
- Type “Brew” to run Brew
2. Now install Sbt
- Type “brew install sbt”
- NOTE: You may have to run the command below first
- “brew cask install adoptopenjdk” (Brew will let you know if you do need to do this)
- If you did need to run this extra command, then you will have to run the “brew install sbt” again afterward
- Run sbt by typing sbt in the command line
3. Now install Scala
- Type “brew install scala”
NOTE: Although other package managers provide a way to allow Snyk to determine the list/graph/tree of dependencies, Sbt does not. So an Sbt dependency graph plugin is required to address this issue.
4. Now follow these instructions for installing the Sbt dependency graph plugin
In order to use the Snyk CLI to test Scala projects, you will need to install the Sbt dependency graph plugin.
Installing the Sbt dependency graph plugin for sbt 0.13
Prerequisites
- Ensure you have installed Scala. (See steps outlined above)
- Ensure you have installed Sbt and ran sbt. (See steps outlined above)
NOTE: The steps below will install the Sbt dependency plugin as a global plugin.
- First navigate to the correct directory by typing the following command: cd ~/.sbt
- This will take you to the Sbt directory. From there you will need to navigate to the 0.13 directory. Typing the ls command will show if 0.13 and/or 1.0 exists in the directory
- Navigate to 0.13 by typing: cd 0.13 and then make a directory called plugins by typing: mkdir plugins
- Navigate to the new directory by typing: cd plugins and then proceed to create a file called “plugins.sbt” by typing: touch plugins.sbt
- Edit the plugins.sbt file via the CLI using the nano command: nano plugins.sbt
- (you can also use a text editor is you prefer)
- Add the following line to the file using this command: addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1")
- Press: “Control X” to exit, Press: “Y” when prompted to save the file, then press: return to close the nano editor
5. Take the following steps for the 1.0 directory. Check if 1.0 exists by typing ls in the sbt directory:
- If the 1.0 does NOT exist in the sbt directory, type mkdir 1.0 in the sbt directory
- If 1.0 exists in the directory, run the following command: cd ~/.sbt/1.0
- Make a directory called “plugins” in that folder by typing: mkdir plugins
- Copy the existing “plugins.sbt” file from the 0.13 directory to the current 1.0 directory by typing the following: cp ../0.13/plugins/plugins.sbt ./plugins
- Validate that the plugin has been installed correctly by running the following command: sbt "-Dsbt.log.noformat=true" dependencyTree (This should be tested in the directory of the project and running the command will generate the dependency graph. You can also run it each time you want to generate the dependency graph)
You should now be able to successfully run “snyk test” via the CLI to uncover vulnerabilities in the scala project you imported.