Support for Scala SBT

[LironJit]

Hi :)
Curious if SBT is anywhere on the roadmap, It'd be super awesome if we could scan build.sbt files for dependency vulnerabilities using osv-scanner!
Thanks in advance!

[oliverchang]

Hi, thanks for this request.

I don't believe any of us are familiar with Scala or were aware of SBT before. Is there a specific canonical package manager for Scala? Or is this just Maven?

Contributions are also very welcome :)

[LironJit]

Hi @oliverchang, thanks for your quick response!

SBT is indeed the primary build tool for Scala projects, similar to Maven or Gradle for Java
It uses a file called build.sbt to define dependencies. This file is essential for dependency management in Scala projects and can be scanned for vulnerabilities
Unlike Maven, which uses XML, SBT's build files are Scala code

Here's a link to how dependencies are typically mentioned in the build.sbt file - https://github.com/sbt/sbt-native-packager/blob/master/build.sbt#L16-L26

[oliverchang]

Thanks for the response! My question wasn't phrased well since Maven is a bit of an overloaded term -- it refers to both a package repository protocol and an overall build system/tool.

Do the dependencies specified inside build.sbt refer to packages inside a Maven repository? Or are there SBT specific repositories for dependencies? It sounds like if they refer to Maven packages, we just need to extract "ecosystem": "Maven" packages from them?

Contributions are also very welcome, if you are able to help with creating a PR for this!