Delveline is a tool for Kotlin and Java developers that identifies and categorizes vulnerabilities, helping teams align with security standards like ISO 27001 and improve code security.
Delveline is a specialized tool designed for Kotlin and Java developers, helping identify and categorize software vulnerabilities effectively. By leveraging the CWE (Common Weakness Enumeration) framework and detecting CVE (Common Vulnerabilities and Exposures), Delveline bridges the gap between secure software development and industry standards like ISO 27001.
Aligned with ISO 27001’s focus on information security and risk management, Delveline provides actionable insights into vulnerabilities within source code and dependencies specific to Kotlin and Java projects. While not a standalone security solution, it serves as a valuable aid in achieving compliance by offering clear categorization of risks and practical guidance for remediation.
We leverage:
- CWE (Common Weakness Enumeration): A global standard for identifying and categorizing vulnerabilities.
- OSV (Open Source Vulnerabilities): A comprehensive database for open-source vulnerability information.
- ISO/IEC 27001 Alignment: Supporting security awareness and risk management practices aligned with global information security standards.
Delveline empowers Kotlin and Java teams to develop secure and resilient applications while aligning their development practices with global security standards.
Or view example in HTML Format
Disclaimer: Delveline may not identify all vulnerabilities but serves as a powerful first step in securing your codebase.
To integrate delvelin in Java/Kotlin project, we can use two ways. Choose the way that suits your project needs:
Add the plugin to your Gradle project.
plugins {
id("io.github.hangga.delvelin") version "0.1.2-beta"
}plugins {
id 'io.github.hangga.delvelin' version '0.1.2-beta'
}Configure Delvelin using the delvelin extension.
delvelin {
outputFileFormat = 'JSON' // Options: LOG, JSON, HTML
showSaveDialog = false
}| Configuration Option | Description | Default Value |
|---|---|---|
setOutputFormat |
Set the output format of the analysis (e.g., HTML, JSON, or LOG). |
LOG |
setAutoLaunchBrowser |
Automatically open the generated HTML report in the browser. Set to false to disable. |
false |
setShowSaveDialog |
Display a save dialog for HTML and JSON reports. Set to false to disable. |
false |
Run the delvelinScan task to analyze your project:
./gradlew delvelinScanIf we are using Intellij IDEA, we can also use the gradle menu in the sidebar:
Add delvelinScan gradle task to our pipeline configuration, for example:
stages:
- test
gradle-scan:
stage: test
image: gradle:7.6-jdk8
script:
- gradle delvelinScan
only:
- main
- developWe can use the Delvelin library just like any other Kotlin/Java library. It offers a more flexible way with additional configuration.
repositories {
maven { url 'https://repo.repsy.io/mvn/hangga/repo' }
}
dependencies {
testImplementation('io.github.hangga:delvelin-plugin:0.1.2-beta')
}<repository>
<id>hangga-repsy-repo</id>
<url>https://repo.repsy.io/mvn/hangga/repo</url>
</repository>
<dependency>
<groupId>io.github.hangga</groupId>
<artifactId>delvelin-plugin</artifactId>
<version>0.1.2-beta</version>
<scope>test</scope>
</dependency>It is highly recommended to run the Delvelin library in unit tests to keep your production classes clean. You can also run it in the main class or the project’s main package, but this is not advised.
Here’s an example of a unit test to instantiate and run Delvelin:
@Test
fun `vulnerability test`() {
Delvelin()
.setOutputFormat(OutputFileFormat.HTML)
.setAutoLaunchBrowser(true) // Automatically opens the browser for HTML format
.setAllowedExtensions(".java") // By default, it supports .java, .kt, .gradle, .kts, and .xml
.setShowSaveDialog(true) // Only applicable for HTML & JSON formats
.setShowDate(true) // For Console LOG format
.scan()
}To log messages in LogCat, you can use a custom listener like this:
@Test
fun `vulnerability test with custom listener for android`() {
Delvelin().setLogListener(object : LogListener {
override fun onGetLog(s: String) {
Log.d("DelvelinLog", s)
}
override fun onGetLog(stringBuffer: StringBuffer) {
Log.d("DelvelinLog", stringBuffer.toString())
}
}).scan()
}@Test
fun `vulnerability test`() {
Delvelin()
.setOutputFormat(OutputFileFormat.HTML)
.setAutoLaunchBrowser(true) // Automatically opens the browser for HTML format
.scan()
}
@Test
fun `vulnerability test with save dialog`() {
Delvelin()
.setOutputFormat(OutputFileFormat.HTML)
.setShowSaveDialog(true) // Only applicable for HTML & JSON formats
.scan()
}
| Configuration Option | Description | Default Value |
|---|---|---|
setOutputFormat(OutputFileFormat format) |
Set the output format of the analysis (e.g., HTML, JSON, or LOG). |
LOG |
setAllowedExtensions(String... values) |
Specify file extensions to include in the analysis. By default, allows .java, .kt, .gradle, .kts, and .xml. |
[".java", ".kt", ".gradle", ".kts", ".xml"] |
setAutoLaunchBrowser(boolean value) |
Automatically open the generated HTML report in the browser. Set to false to disable. |
false |
setShowSaveDialog(boolean value) |
Display a save dialog for HTML and JSON reports. Set to false to disable. |
false |
setLogListener(LogListener listener) |
Set a custom listener for capturing logs during analysis (useful for Android integration). | null |
Important Notes If you choose the JSON or HTML output format, you must use either
setAutoLaunchBrowserorsetShowSaveDialog. These methods ensure that the output is handled properly.
This project is licensed under MIT License.
Contributions are welcome! Feel free to submit issues or pull requests for new features or improvements.
This project is still a work in progress, and your contributions are highly valuable in helping us improve and refine it.
If you find this project useful and would like to support its development, we would greatly appreciate your donations. Your generosity will go a long way in ensuring the growth and sustainability of this initiative.
Thank you for your support!
Feel free to reach out for questions, suggestions, or contributions:
- 📧 Email: [email protected]
- 🌐 GitHub Repository