Supported languages
Bearer supports the following language and framework combinations. When you scan a codebase, Bearer will automatically select the appropriate language based on the file extension. For example, if your application is composed of Ruby and JavaScript code, Bearer will automatically apply the right language and set of rules.
| Languages | Frameworks | # rules | Support |
|---|---|---|---|
| Ruby | Ruby on Rails | 76 |
Bearer CLI + Pro |
| JavaScript / TypeScript | Express, React | 87 |
Bearer CLI + Pro |
| Java | Spring, Java | 80 |
Bearer CLI + Pro |
| PHP | Symfony | 69 |
Bearer CLI + Pro |
| Go | Gorilla | 72 |
Bearer CLI + Pro |
| Python | Django | 88 |
Bearer CLI + Pro |
| C# | .Net | Learn more |
Bearer Pro |
| Kotlin | Android, Spring, Ktor | Learn more |
Bearer Pro |
| Elixir | Phoenix | Learn more |
Bearer Pro |
| VB.Net | .Net | Learn more |
Bearer Pro |
Language and framework support
Bearer CLI works across a variety of languages, especially:
- Dynamically typed languages such as Ruby or JavaScript.
- Optionally strong typed languages such as TypeScript.
- Strong typed languages such as Java.
You can access the complete list of security rules and associated vulnerabilities supported for each language by Bearer CLI in the rules section.
Framework support
Bearer CLI supports the majority of frameworks, requiring only core language support to perform its analysis. However, certain frameworks may require specialized rules: these are mentioned in the table above in the "framework" section. If you observe any gaps in support for a particular framework, please submit an issue with relevant details and examples.
Do you support interprocedural and inter-file analysis?
Yes, Bearer Pro supports interprocedural and inter-file analysis, currently with full capabilities for Java and actively being extended to other major supported languages. This advanced analysis allows Bearer Pro to trace data flow and control flow across function and file boundaries within an entire codebase. This is crucial for accurately identifying complex vulnerabilities that depend on the interaction of different code components, significantly reducing false positives compared to analyses limited to individual functions or files.
Bearer Pro's interprocedural and inter-file analysis for Java has demonstrated strong results on the OWASP Java Benchmark, achieving a score of 76% with a reported false positive rate of less than 2%.
How do we evaluate language support?
The development of a robust Static Application Security Testing (SAST) tool hinges on two crucial performance metrics: recall and precision. A modern, efficient SAST solution aims to minimize the false positive rate, to avoid inundating developers with irrelevant findings. At the same time, it should not overlook relevant vulnerabilities, or it risks giving a false sense of security.
The methodology we employ for testing our software is instrumental in achieving this level of confidence. Although there are a few benchmarking projects available for SAST, they often fall short of providing a comprehensive assessment. The multitude of coding styles and the diversity of potential vulnerabilities as numerous as the developers themselves necessitate a well-rounded test suite that truly represents how code is written. Relying solely on benchmarking projects, in this case, is insufficient.
Given this, as part of our language release procedure, we heavily depend on Open Source projects to evaluate the quality of our support. Our engineering team has composed an in-depth post detailing our approach, which we strongly recommend you review here.
How does Bearer precision compare to solutions like Semgrep, Snyk, Checkmarx or SonarQube?
Establishing a high degree of accuracy for a SAST is challenging, and comparing them becomes an even more complex task. As a part of our in-house toolkit, we have undertaken the task of determining how Bearer stands against other well-established solutions in the market. The comprehensive results of our comparative analysis, along with an open data set, are available here.