Skip to main content

Scan for JetBrains

Veracode Scan for JetBrains is a plugin for popular JetBrains IDEs that integrates Static Application Security Testing (SAST), Veracode Software Composition Analysis (SCA), and Veracode Fix into your Software Development Lifecycle (SDLC).

From within your IDE, you can:

  • To detect flaws in your code, run Static Analysis scans.
  • To detect vulnerabilities in open-source libraries and the risk level of open-source licenses, run SCA agent-based scans.
  • To remediate flaws by applying suggested fixes, use Veracode Fix.
  • To resolve findings manually, use the provided remediation guidance.

Scan results are only available in the IDE. They are not available in the Veracode Platform.

Supported versions

Veracode has tested the following versions, but the plugin might work with other versions.

Version 2023.2 or later of the following IDEs:

  • IntelliJ Ultimate and Community Edition
  • PyCharm
  • Rider

Supported languages and frameworks

Veracode has tested specific versions (if listed) of the following languages and frameworks, but the plugin might work with other versions.

About application packaging

Before the plugin runs a Static Analysis of your application, it uses an auto-packager to automatically package the code into a supported artifact, such as ZIP or JAR. If the packager is not able to package your application, or you prefer to create the artifact yourself, you can use the Veracode packaging guidance to package your application manually. This option does not apply to SCA scans.

The default location for manually packaged artifacts is <project root>/.verascan. At the root of your project, create the .verascan folder and add your artifact to this folder. When you start the scans, the plugin first looks for an artifact in the default location. To store your artifact in a different location, where the plugin will look next, configure the setting Artifact Glob.

note

If you use Rider on macOS and you want to use auto-packaging, you must start Rider at a command prompt.

Prerequisites

Before you can install and use Veracode Scan for JetBrains, you must have:

  • A supported JetBrains IDE and a source project of a supported language or framework. Monorepos are not supported.

  • Ensured your source project is configured correctly for the language of your application. If you aren't sure, review the project requirements in the JetBrains documentation.

  • A human user account with the Security Lead, Workspace Administrator, Workspace Editor, or Submitter role.

  • Stored your API credentials in an API credentials file. The plugin uses these credentials to authenticate with Veracode, not the SCA agent token.

  • Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.

  • Installed a supported package manager.

  • Ensured you have configured a proxy in your IDE, if your organization accesses Veracode through a proxy server. You cannot configure a proxy in the Veracode plugin. For more information, see the JetBrains documentation.

  • To generate suggested code fixes and apply them to flaws, you must have a Veracode Fix license and a supported code language.

  • To see the prerequisites for a scan type, select from the following:

    To run Static Analysis scans and view flaws, you must have:

    • An active Static Analysis license.
    • One of the following Veracode accounts:
      • A human user account with the Security Lead, Creator, or Submitter user role.
      • An API service account with the Upload and Scan API or Upload API - Submit Only API role.
    • Ensured your application builds successfully. If your project files change between scans, rebuild your project and ensure it builds successfully.
    • Ensured the artifact you want to scan does not exceed the total file size limit of 200 MB.
    • Enabled one-way communication on port 443.

Install the plugin

You install the plugin from the JetBrains Marketplace.

note

You can only install the plugin on one machine. If you install it on multiple machines, it might fail to authenticate with Veracode.

To complete this task:

  1. Go to the JetBrains Marketplace.
  2. Search for veracode.
  3. Select Veracode Scan.
  4. Select Install.
  5. Restart your IDE. The plugin automatically detects your API credentials file and attempts to sign in to Veracode. If sign in fails, ensure that your API credentials file is configured correctly, the file is in the required location, and your credentials are valid. If your API credentials are invalid or expired, you can generate new credentials. Then, select Test Authentication to sign in.
  6. To install a local SCA agent, under Install Local Agent, select Install Agent. This SCA agent is specific to the plugin and does not affect any other local SCA agents. The installation is complete.

Configure the plugin

Optionally, turn on recursive scanning and configure a custom location for packaged artifacts.

To complete this task:

  1. To open Veracode Scan Settings, in the Veracode Scan window, from the dropdown menu intellij-sca-menu.png, select Settings.

  2. Configure the following options:

    • Recursive Scan: to have each scan run recursively on all folders in your project, select Enable SCA recursive scan. This option is selected by default.
    • Artifact Glob: provide the location of a custom artifact for a Static Analysis scan. Enter a glob pattern that defines the path and filename for your artifact. The path must be relative to your project root directory. The default location is $PROJECT_ROOT/.verascan. Ensure your artifact meets the Veracode packaging guidance. See About application packaging.

Scan your project

To analyze the security risk of your code and all open-source libraries and licenses, scan your project. Because each scan uses the data paths in your project files to detect flaws in lines of code, it does not scan your code as you type. To detect flaws in new or changed lines of code, you must rescan your project.

A Veracode account is limited to six scans per 60 seconds and each scan is limited to a maximum scan time of 60 minutes.

Before you begin:

Ensure you meet the prerequisites.

To complete this task:

  1. Open a supported project in your IDE.
  2. From the left tool window bar, select Veracode Scan jetbrains-scan-icon.png.
  3. To start the scans, in the Veracode Scan window, select Scan Project intellij-sca-scan-button.png.
  4. Wait for the scans to complete. When all scans are complete, the results for the selected project appear in the following panes: Scan Overview, Flaws In My Code, Vulnerabilities In My Libraries, and Library Licenses.

Review the scan overview

After you scan your project, in the Veracode Scan window, the Scan Overview pane provides the following information about the scans and the results:

  • The scan completion time stamp and the duration of the scans.
  • The total number of flaws from the Static Analysis scan. To view the flaws categorized by severity, expand Flaws.
  • The total number of vulnerabilities from the SCA scan. To view the vulnerabilities categorized by severity, expand Vulnerabilities.

Working with flaws

To review, fix, or ignore discovered flaws, use the Flaws In My Code pane.

Review flaws

Learn about the discovered flaws, their severity, and get remediation guidance that can help you fix them.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. From the left tool window bar, select Veracode Scan jetbrains-scan-icon.png.
  2. In the Flaws In My Code pane, you see a list of flaws. Each flaw shows the Common Weakness Enumeration (CWE) ID and name sorted by severity. The flaws with the highest severity are at the top of the list. If there are suggested fixes from Veracode Fix, a green banner shows the total number of available fixes and all flaws to which you can apply fixes show a green star jetbrains-flaw-fix-badge.png.
  3. Optionally, to only show specific flaws in the list, select Filter ide-filter-icon.png to filter the flaws.
  4. To view a flaw within a source file, select a flaw. The source file that contains the flaw opens in a tab, and the line of code where the flaw exists is underlined red.
  5. To view a detailed description of a flaw and the remediation actions you can take to fix it, in the Flaws In My Code pane, select View flaw details ide-flaw-details-icon.png. The Veracode Scan Details pane opens.
  6. Alternatively, to open the Veracode Scan Details pane from a flaw in a source code file, hover over a line of code with a red underline. Then, select More actions > Fix this flaw on a CWE. You can also select a CWE from code suggestions jetbrains-light-bulb-icon.png.
  7. To review ignored flaws, in the Flaws In My Code pane, scroll down to the bottom of the pane. Then, expand Ignored findings.

Filter flaws

To control which flaws are listed in the Flaws In My Code pane, you can filter them by severity.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In the Flaws In My Code pane, select the filter ide-filter-icon.png.

  2. From the dropdown menu, select from the following filters:

    • Severity filters: hide or show flaws based on their severity.
    • Fix filter: only show flaws that have suggested fixes you can apply jetbrains-flaw-fix-badge.png or flaws that have fixes applied jetbrains-fix-applied-icon.png.
  3. From the dropdown menu, select one or more severities. The list of flaws updates automatically. To indicate that the pane is filtered, the filter icon shows an orange dot ide-filter-applied-icon.png.

Fix flaws

To fix discovered flaws, you can apply suggested fixes from Veracode Fix or follow the remediation guidance available in your IDE.

Before you begin:

  • Ensure you have scanned your project.
  • To generate and apply suggested code fixes, you must have a Veracode Fix license.

To complete this task:

  1. In the Flaws In My Code pane, locate a flaw with suggested fixes jetbrains-flaw-fix-badge.png.

  2. Optionally, to show only flaws with suggested fixes, or flaws with fixes applied, you can filter the flaws.

  3. To open the Veracode Scan Details pane, expand a flaw, then select View flaw details.

  4. To open the source file that contains the flaw, select the flaw. In the source file, the line of code where the flaw exists is underlined red. A line of code can contain multiple flaws.

  5. In the Veracode Scan Details window, select from the following:

    • Veracode Fix: to apply the top suggested fix for this flaw, select Apply Fix. To apply other suggested fixes, select Fix Option, select a fix, then select Apply Fix. If no suggested fixes are available, this tab is empty. After you apply a suggested fix, a notification message opens with details about the applied fix. In the Flaws In My Code pane, the severity and fix icons change to gray jetbrains-fix-applied-icon.png. If you fix a flaw manually, the severity icon does not change to gray.
    • Remediation Guidance: to fix this flaw manually, follow the remediation guidance. To see the path that the scanner followed to locate this flaw, under Data Paths, expand a path. Then, select the Step link for the source file and code line number you want to view.
  6. Alternatively, to open the Veracode Scan Details window from a flaw in a source file, hover over a line of code with a red underline. Then, select More actions > Fix this flaw on a CWE or, if there are no suggested fixes, select More information. You can also select a CWE from code suggestions jetbrains-light-bulb-icon.png.

  7. To confirm that a flaw is fixed, rescan your project and check that the flaw is no longer listed in the Flaws In My Code pane.

Ignore flaws

To temporarily remove flaws from the Flaws in My Code pane, you can ignore them. For example, you might want to ignore flaws that continually appear or are of low importance, such as Informational.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In the Flaws In My Code pane, select a flaw. The source file that contains the flaw opens in a tab and the line of code where the flaw exists is underlined red.
  2. To ignore a flaw, in the source file, hover over a line of code with a red underline.
  3. Select More actions > Ignore this finding on a CWE. The flaw moves to the Ignored flaws section at the bottom of the pane. You can also select this option from code suggestions jetbrains-light-bulb-icon.png.
  4. To unignore a flaw, at the bottom of the Flaws In My Code pane, expand Ignored flaws. Then, locate a flaw and select Unignore flaw ide-flaw-details-icon.png. The flaw moves out of the Ignored flaws list and is visible in the source file.

Working with vulnerabilities

To review and fix the discovered vulnerabilities, use the Vulnerabilities In My Libraries pane.

Review vulnerabilities

The Vulnerabilities In My Libraries pane lists all open-source libraries with one or more vulnerabilities.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. Select Veracode Scan jetbrains-scan-icon.png. The Vulnerabilities in My Libraries pane lists all detected libraries with vulnerabilities. The libraries with the most and highest-risk vulnerabilities are at the top of the list.
  2. Optionally, to only show specific vulnerabilities in the list, select the filter icon ide-filter-icon.png to filter the vulnerabilities.
  3. To see the vulnerabilities for a library, expand a library.
  4. To see additional information about the library you expanded, select View library details. The Veracode Scan Details window provides useful information about the library, such as its total vulnerability count with severities, the latest version available, the known safe version, and its usage.
  5. To view information about a vulnerability, select it. The Veracode Scan Details window shows the CVSS score, all libraries in your project with this vulnerability, a link to view it in the Veracode Vulnerability Database, and the recommended fix.

Filter vulnerabilities

To control which vulnerabilities are listed in the Vulnerabilities In My Libraries pane, you can filter them by severity.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In the Vulnerabilities In My Libraries pane, select Filters ide-filter-icon.png.

  2. From the dropdown menu, select one or more filters:

    • Severity: hide or show vulnerabilities based on their risk level.
    • Usage: hide or show vulnerabilities based on their usage.

    After you apply a filter, the filter icon shows an orange dot intellij-sca-filter-icon-applied.png.

Review open-source licenses

You can review a list of all open-source licenses, the libraries that use these licenses, and the license risk level. Your organization uses this information when deciding whether it needs to change a license to a safe version.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. Select Veracode Scan jetbrains-scan-icon.png.
  2. To see the names, versions, and risk level of each license, scroll through the list of licenses in the Library Licenses pane. The licenses with the highest risk level are at the top of the list.
  3. To see the libraries that use a license, expand a license.

Clear all scan results

Remove all scan results from the Veracode Scan window and the plugin.

Before you begin:

Ensure you have scanned your project.

To complete this task:

note

You cannot undo this action or recover the cleared results. To see results, you must rescan your project.

In the Veracode Scan window, from the dropdown menu intellij-sca-menu.png, select Clear All Results.

Troubleshooting

To generate a log file for all scans, Veracode Fix, and the auto-packager, turn on debugging. You can use these logs to troubleshoot issues.

To turn scan debugging on or off, from the dropdown menu intellij-sca-menu.png, select Enable Debug. A message window opens to indicate whether scan debugging is turned on or off. When debugging is turned on, the Enable Debug menu item shows a checkmark.

note

The debug option does not persist. You must turn it on before each SCA scan. The debug files are stored on your local machine in .veracode/ide_agent/jetbrains/. To remove these files, you must delete them manually.