Skip to main content

SCA Scan for JetBrains

Veracode SCA Scan for JetBrains is a plugin for the IntelliJ IDEA and PyCharm IDEs that integrates Veracode Software Composition Analysis (SCA) into your Software Development Lifecycle (SDLC). The plugin performs SCA agent-based scans of your project to detect vulnerabilities in open-source libraries and the risk level of third-party licenses. For vulnerabilities, it also provides guidance for fixing security issues from within your IDE.

For information on using Veracode Greenlight in IntelliJ IDEA, see Veracode Greenlight for IntelliJ.

Supported versions

Veracode has tested the following versions, but the integration might work with other versions.

  • IntelliJ 2022.2.2 or greater
  • PyCharm 2022.1 or greater

Supported languages and frameworks

Veracode has tested specific versions (if listed) of the following languages and frameworks, but the integration might work with other versions.

See Agent-based scan language support matrix.

Prerequisites

Before you can install and use Veracode SCA Scan for JetBrains, you must have:

  • A human user account with the Security Lead, Workspace Administrator, Workspace Editor, or Submitter role.
  • Stored your API credentials in an API credentials file. The plugin uses these credentials to authenticate with Veracode, not the SCA agent token.
  • Obtained a Veracode SCA subscription.
  • Ensured that the SCA workspace My Workspace has an available project slot. The plugin can only use My Workspace.
  • Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.
  • Installed a supported IDE.
  • Installed a supported package manager.
  • If you use a proxy to access Veracode, ensure you have configured a proxy in your IDE. You cannot configure a proxy in the Veracode plugin. For more information, see the docs for IntelliJ IDEA or PyCharm.

Install the plugin

You install the plugin from the JetBrains Marketplace.

note

You can only install the plugin on one machine. If you install it on multiple machines, it might fail to authenticate with Veracode.

To complete this task:

  1. Go to the JetBrains Marketplace.
  2. Search for veracode.
  3. Select Veracode SCA Scan for JetBrains.
  4. Select Install and follow the on-screen instructions.
  5. Restart your IDE.
  6. Follow the on-screen instructions to authenticate with Veracode and install a local SCA agent. This SCA agent is specific to the plugin and does not affect any other local SCA agents.

By default, the plugin detects your API credentials file and authenticates with Veracode to confirm your credentials are valid. If you added the credentials file after installing the plugin and the SCA agent, click Test Authentication to confirm your API credentials are valid. If your API credentials are invalid or expired, you can generate new credentials.

Turn on scan debugging

To turn scan debugging on or off, from the dropdown menu intellij-sca-menu.png, select Enable Debug. A message window opens to indicate whether scan debugging is turned on or off. When debugging is turned on, the Enable Debug menu item shows a checkmark.

note

The debug option does not persist. You must turn it on before each SCA scan. The debug files are stored on your local machine in .veracode/ide_agent/vscode/. To remove these files, you must delete them manually.

Scan your project

Scan your project to analyze the security risk of all open-source libraries and licenses. The scan results are only available in the IDE and from a command prompt. You cannot view the results in the Veracode Platform.

To complete this task:

  1. Open a supported project in your IDE.
  2. On the left menu bar, select Veracode SCA Scan jetbrains-sca-scan-icon.png.
  3. To start the scan, in the Veracode SCA Scan window, select Scan Project intellij-sca-scan-button.png.
  4. Wait for the scan to complete.
  5. Review the results in the Vulnerabilities In My Libraries and Library Licenses panes.

View the scan summary

After you scan your project, you can view a general summary of the scan and the results. To open the Scan Summary window, from the dropdown menu intellij-sca-menu.png, select Scan Overview.

The Scan Summary window provides the total number of vulnerabilities and their risk level, the scan completion date, and the number of scanned dependencies (libraries).

Review vulnerabilities

The Vulnerabilities In My Libraries pane lists all open-source libraries with one or more vulnerabilities.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. Select Veracode SCA Scan jetbrains-sca-scan-icon.png. The Vulnerabilities in My Libraries pane lists all detected libraries with vulnerabilities. The libraries with the most and highest-risk vulnerabilities are at the top of the list.

  2. To filter the list of libraries, select the filter dropdown menu intellij-sca-filter-icon.png. Then, select one more of the following filters:

    • Severity filters: filter libraries by the severity of their vulnerabilities. The severity indicates the risk level of a vulnerability. For example, select Critical to only show libraries with the highest severity vulnerabilities.
    • Usage filters: filter libraries (dependencies) by their usage. To only show libraries that your project uses directly, select Direct Only. To only show libraries that your project uses indirectly, select Transitive. By default, both direct and transitive (indirect) libraries are listed.

    After you apply a filter, the filter icon shows a yellow dot intellij-sca-filter-icon-applied.png.

  3. To see the vulnerabilities for a library, expand a library.

  4. To see additional information about the library you expanded, select View library details. The Veracode Scan Details window provides useful information about the library, such as its total vulnerability count with severities, the latest version available, the known safe version, and its usage.

  5. To view information about a vulnerability, select it. The Veracode Scan Details window shows the CVSS score, all libraries in your project with this vulnerability, a link to view it in the Veracode Vulnerability Database, and the recommended fix.

Review open-source licenses

You can review a list of all open-source licenses, the libraries that use these licenses, and the license risk level. Your organization uses this information when deciding whether it needs to change a license to a safe version.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. Select Veracode SCA Scan jetbrains-sca-scan-icon.png.
  2. In the Library Licenses pane, scroll through the list of detected licenses to see the names, versions, and license risk. The licenses with the highest risk level are at the top of the list.
  3. Expand a license to see the libraries that use it.

Clear all scan results

Remove all scan results from the Veracode SCA Scan window and the plugin.

Before you begin:

Ensure you have scanned your project.

To complete this task:

note

You cannot undo this action or recover the cleared results. To see results, rescan your project.

In the Veracode SCA Scan window, from the dropdown menu intellij-sca-menu.png, select Clear All Results.