Greenlight IDE plugins

note

The Greenlight plugins only support Static Analysis scans. To run Static Analysis and Software Composition Analysis scans, and use Veracode Fix to apply suggested code patches to flaws, we recommend you use the Veracode Scan plugins and extensions.

Veracode Greenlight, which is also called IDE Scan, finds security defects in your code in seconds, so you can fix the findings directly in your IDE. Instant detection discovers issues early and reduces costs.

Greenlight is not available in the European region.

Veracode Greenlight scans files or small packages and displays the results in your IDE as the code line level. Developers can test software frequently and find security-related defects early in the development cycle. Veracode Greenlight also provides positive feedback to developers, which lists coding best practices that developers can use to avoid introducing security defects.

The Veracode Greenlight plugin has minimal impact to your local system. If your environment is outside the above requirements, and you are interested in the Veracode Greenlight plugin, email Veracode Technical Support regarding your interest, your IDE tools, IDE version, and programming languages you use in your job.

Veracode Greenlight uses these two certificates that are signed by a certificate authority: downloads.veracode.com and api.veracode.com.

In addition to using Veracode Greenlight, we recommend that you perform a full static analysis scan using the Veracode Platform or the Veracode plugin for your IDE to achieve comprehensive coverage, actionable results, and policy-level reporting to determine application production readiness.

note

Veracode APIs and integrations require access to specific region domains, depending on the region for your Veracode account. Contact your IT team to ensure the correct domains for your region are on the allowlist for your organization. Also, ensure that there is one-way communication on port 443 to the domain for the REST APIs. Refer to the complete list of domains and IP addresses to add to your allowlist.

Supported IDEs

• Eclipse
• IntelliJ and Android Studio
• Visual Studio
• Visual Studio Code

Prerequisites

Before you can use Veracode Greenlight, you must have:

• Enabled the Veracode Greenlight feature. Contact Veracode Technical Support to enable this feature.
• Confirmed you have a user account with the Greenlight IDE User role.
• Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The plugin uses these addresses to authenticate with Veracode. To update your allowlist, you might need to contact your IT team.
• Generated API credentials. We recommend creating an API credentials file for storing your credentials outside the IDE. If you have an API credentials file, and your file and credentials are valid, the Greenlight plugin detects the file automatically, and you can authenticate with Veracode.
• Installed a supported IDE and any dependencies, such as Java.
• Connected your IDE to the public internet.
• Configured the required proxy settings in your IDE. The Greenlight plugin does not provide proxy settings. To configure a proxy, see the documentation for your IDE:
  • Eclipse
  • IntelliJ
  • Android Studio
  • Visual Studio or VS Code
• Access to the source code you want to scan, the module containing the source code, and any dependency modules compile successfully. Non-minified code has not had unnecessary characters, such as white space, new lines, comments, and block delimiters removed.
• Confirmed your scan submissions are 1MB or smaller.
• Confirmed that your Java files successfully build into Java class files. To ensure your Greenlight scan succeeds, verify that you have a Java class built for the Java file you want to scan.
• You can only scan binaries. Third-party build tools, such as Gradle or Maven, add non-binary files that can cause issues during scanning. If you use a third-party build tool, ensure that:
  • The project builds successfully outside your IDE. If you have problems such as classpath or buildpath errors, for example, the IDE cannot build the files needed to submit a scan to Veracode Greenlight.
  • You have imported your files into your IDE using the specific plugin for your third-party build tool.
  • Your project includes a build.gradle file, for Gradle, or a .pom file, for Maven. When opening but not importing projects, the IDE generates the project configurations.
• We recommend that you select the option in your IDE for building automatically and that you resolve any blocking build errors.

Best Practices

The Best Practices feature in Greenlight detects lines of code that comply with coding best practices. These lines of code protect the application against specific Common Weakness Enumerations (CWEs).

After you run a Greenlight scan in your IDE, the coding best practices are underlined green. In the Greenlight Findings window, select Best Practices to view a list of CWEs that your application avoided based on the detected coding best practices. To view more details about a specific CWE, in the Actions column, select Details.

For example, Greenlight can detect a coding best practice for the following CWEs.

• Taint-based CWEs
  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • CWE-93: Improper Neutralization of CRLF Sequences (CRLF Injection)
  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)
  • CWE-117: Improper Output Neutralization for Logs
  • CWE-201: Information Exposure Through Sent Data
  • CWE-611: Improper Restriction of XML External Entity Reference (XXE)
• Non-taint based CWEs
  • CWE-326: Inadequate Encryption Strength
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-329: Not Using a Random IV with CBC Mode
  • CWE-331: Insufficient Entropy
  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • CWE-780: Use of RSA Algorithm without OAEP