Skip to main content

Static for Eclipse

note

This plugin only supports Static Analysis scans. To run Static Analysis and Software Composition Analysis scans, and use Veracode Fix to apply suggested code patches to flaws, we recommend you use Veracode Scan for Eclipse.

Veracode Static for Eclipse is a plugin for the Eclipse IDE that enables you to upload binaries to Veracode for static analysis. You can work with the scan results from within Eclipse to review and mitigate security findings in your applications.

Supported versions

Veracode has tested the following versions (if listed), but the integration might work with other versions.

  • Eclipse 4.6–2023-03 (4.27)
  • Eclipse-derived IDEs, such as Spring Suite.

Supported languages and frameworks

See the packaging requirements.

Install the Eclipse plugin

Veracode Static for Eclipse functions like other Eclipse plugins that you install from an update site within the Eclipse IDE.

Before you begin:

You must have:

To complete this task:

  1. Select Help > Install New Software.
  2. Select Add.
  3. In the Add Repository window, in the Name field, enter Veracode Static for Eclipse and, in the Location field, enter https://tools.veracode.com/integrations/Eclipse/update.
  4. Select OK.
  5. Select the checkbox next to the plugin and select Next. If the Veracode checkbox does not open, clear the Group items by category checkbox.
  6. In the Install window, select Next.
  7. Select I accept the terms of the license agreement and select Finish.
  8. When prompted, restart Eclipse.

Install the Eclipse plugin behind a proxy

You can install Veracode Static for Eclipse behind a proxy.

Before you begin:

You must have:

  • Confirmed you have a supported version of Eclipse and Java and your code meets the packaging requirements.
  • Stored your API credentials in an API credentials file.
  • Ensured you have configured a proxy.
  • Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The plugin uses these addresses to authenticate with Veracode. To update your allowlist, you might need to contact your IT team.
  • Ensured you have configured the plugin to use the correct HTTPS proxy settings for accessing Veracode. If you are unsure about your proxy settings, contact your network IT team.

To complete this task:

  1. In Eclipse, select Veracode > Options > Veracode > Proxy.
  2. Select Connect using the default HTTPS proxy settings if you want to use the HTTPS proxy settings that you previously configured within your IDE. If you want to specify different proxy settings, complete these steps.
  3. Select Connect using the following proxy settings.
  4. Select Edit.
  5. Enter the proxy settings. Optionally, select the Requires Authentication option.
  6. Select OK.
  7. In the Preferences window, select OK.

Update the Eclipse plugin

You can update Veracode Static for Eclipse from within the IDE.

To complete this task:

  1. Select Help > Check for Updates.
  2. If a newer version of Veracode Static for Eclipse is available, select the checkbox next to it and select Next to install.
  3. Accept the license agreement and select Next.
  4. If prompted, restart Eclipse.

Mirror the update site

You can create a local instance of the Veracode Eclipse update site that allows you to use and update Veracode Static for Eclipse without internet access.

To get the latest version of Veracode Static for Eclipse, you can mirror the Veracode Eclipse update site, which provides the files required for your local Eclipse installation.

To complete this task:

  1. Create a local directory to store the mirrored site files.

  2. The update site contains metadata, such as the XML information needed to describe the content and dependencies of the plugin. To mirror the metadata, run this command from the command line:

    eclipse -nosplash –verbose
                -application org.eclipse.equinox.p2.metadata.repository.mirrorApplication
                -source https://tools.veracode.com/integrations/Eclipse/update
                -destination [LocalDirectory]

    Completing this command adds the content.jar file to your local directory.

  3. The artifact contains the plugin and the files it needs to run. To mirror the artifact, run this command from the command line:

    eclipse -nosplash –verbose
              -application org.eclipse.equinox.p2.artifact.repository.mirrorApplication
              -source https://tools.veracode.com/integrations/Eclipse/update
              -destination [LocalDirectory]

    Completing this command adds the artifacts.jar file and the features and plugins folders to your local directory.

  4. Package all the files into a ZIP file after adding them to the directory.

Install the mirrored update site

You can install the mirrored update site to your local Eclipse environment.

Before you begin:

Ensure you have mirrored and packaged the update site.

To complete this task:

  1. Select Help > Install New Software....
  2. In the Available Software window, select Add....
  3. In the Add Repository window, enter Veracode in the Name field.
  4. In the Location field, select Archive... and select the ZIP file containing the mirrored update site. Then, select OK.
  5. Select Veracode Static for Eclipse, then select Next.
  6. To complete the installation, review the Install Details and select Finish.

Manage credentials

Store your API credentials or manage your password.

Store API credentials in a keychain

You can store your API credentials securely in an API credentials file or Eclipse.

We recommend that you use an API credentials file. The plugin uses these credentials to access Veracode.

To complete this task:

  1. Select Veracode > Options > Credentials.

  2. Select an option for storing your API credentials:

    • Store credentials in external file: use the credentials in your API credentials file. By default, if your credentials are not currently stored in Eclipse, this option is selected. To verify that your credentials are valid, select Test Credentials.
    • Store credentials in Eclipse: select Add Credentials to enter and store your credentials in Eclipse. By default, if your credentials are currently stored in Eclipse, this option is selected.

  3. Select OK.

  4. If you selected to store your credentials, the Veracode Keychain window opens.

    Create a passphrase that Veracode can use as a security key to encrypt your Veracode credentials before saving them. Veracode uses the passphrase to create a digest that it stores securely. This digest expires every 12 hours, after which the plugin prompts you to enter the passphrase for creating a new digest.

  5. Enter your passphrase and confirm it.

  6. Select Submit.

Update your password

You can change your passphrase at any time.

To complete this task:

  1. In your IDE, select Veracode > Options.
  2. In the Settings window, select Veracode > Credentials > Store credentials....
  3. Select Change Passphrase.
  4. Enter and confirm your new passphrase.
  5. Select Submit.

Reset your password

If your passphrase expires, or you forget it, you can delete your passphrase and create a new one.

Resetting your passphrase automatically deletes your user credentials from storage.

To complete this task:

  1. Close and restart Eclipse.
  2. Select Veracode > Upload and Scan.
  3. Select Forget passphrase.
  4. Select OK to delete your locally-stored credentials.
  5. Select Create Passphrase to create a new passphrase.
  6. Confirm your new passphrase and select Submit.

Scan your project

You can upload binaries of your applications to Veracode for Static Analysis from within Eclipse.

note

You cannot upload binaries if Veracode is currently scanning an application. After the scan results are available, you can add more files.

The name of the uploaded file must be the same between scans of the same application. However, because filenames can change between builds of the same code, you can change the filename before uploading to keep the name consistent. If the Veracode Platform indicates that the filenames are different, select the New Filename column to rename the file, so that it matches the previous name for the same file.

Before you begin:

You must have the Upload and Scan API role or Submitter role. To obtain detailed findings information in your scan results, the builder you use to package your code must generate debug symbol information.

To complete this task:

  1. In Eclipse, select Veracode > Upload and Scan.
  2. If prompted, enter your API credentials. Select the checkbox to store your credentials so that you only have to enter them once.
  3. In the Upload and Scan window, from the Application dropdown menu, select the application for which you want to upload binaries. To add an application, select Add Application and enter the required information such as policy control and organization information.
  4. After adding an application, go to the Upload and Scan window and select Policy Scan for Scan Type.
  5. Select Create Scan.
  6. In the Create Scan window, enter the name for the new scan and, optionally, the lifecycle stage.
  7. Select Create.
  8. In the Workspace Files table, use the browse icon to select the files you want to upload from your current projects.
  9. Select Add to select any files not associated with a current project.
  10. Select Upload.
  11. When prompted to confirm, select Yes to continue the upload.
  12. Select Yes to go directly to the Veracode prescan process after the upload completes. If you do not want the full scan to continue automatically, select No.
  13. Select Begin Prescan at the top of the Upload Files table. Files you have previously uploaded to the selected scan already appear in the Uploaded Files section.
  14. To delete previously uploaded files, select the specific files and select Delete. You cannot delete files that Veracode is currently scanning until the scan results are available. The status of a scan always appears in the top bar of the window.
  15. When the prescan is complete, select View Prescan Results at the top of the Upload Files table. Veracode notifies you when your scan is complete and results are available.

Scan in a sandbox

You can create a sandbox into which you upload your application files from within Eclipse. You can then scan your application from the sandbox.

Before you begin:

You must have the Upload and Scan API role or Submitter role. To obtain detailed findings information in your scan results, the builder you use to package your code must generate debug symbol information.

To complete this task:

  1. In your IDE, select Veracode > Upload and Scan.

  2. If prompted, enter your API credentials. Select Store username and password so that you only have to enter your credentials one time.

  3. From the Application dropdown menu, select an application.

  4. In the Scan Type field, select Sandbox Scan.

  5. Select Create Sandbox and enter a name for the sandbox.

    note

    If you do not see the Create Sandbox button, contact Veracode Technical Support to enable this feature for your account.

  6. In the Workspace Files table, select the browse icon to select the files to upload from your current projects. Select Add to select any files not associated with a current project.

  7. To confirm that you want to proceed with the upload, select Upload. Then, select Yes.

  8. To go directly to the Veracode prescan process after the upload completes, select Yes. If you do not want the full scan to continue automatically, select No. Then, select Begin Prescan at the top of the Upload Files table.

  9. To review the results of the prescan, select View Prescan Results.

Run a prescan

You can begin a prescan of your application binaries immediately after you upload all files to Veracode. Prescans send email notifications when they complete. You can also check for prescan results using the getprescanresults.docall.

Before you begin:

To complete this task:

  1. In Eclipse, select Yes in the window that opens. Prescan results appear in the Prescan Verification Results window informing you if the prescan succeeded or failed.
  2. If the prescan succeeded, select the checkbox in the Scan? column. Then, select Yes at the bottom of the window.

Debug prescan files

You can debug prescan files if your uploaded files are in error status.

Before you begin:

You must have the Upload and Scan API role or Submitter role. To obtain detailed findings information in your scan results, the builder you use to package your code must generate debug symbol information.

To complete this task:

  1. In your IDE, close the Prescan Verification Results window or select No at the bottom of the window.
  2. Go back to Veracode > Upload and Scan.
  3. If necessary, delete problematic binary files that you have previously uploaded, re-upload properly compiled binary files, or upload missing dependencies.
  4. Select Begin Prescan in the top-right of the window. The prescan completes.
  5. To start the full scan, at the bottom of the window, select Yes.

Working with scan results

After you scan your project and import the results, they appear in the Results view.

To be able to download Veracode scan results using the Results API, you must have the Results API role.

If you do not see the Results view in Eclipse, you can access it from:

  • Window > Show View > Other > Veracode Views > Results
  • Window > Open Perspective > Other > Veracode

The Results view lists information about each flaw, including the CWE ID, category, module name, folder path, filename, function name, attack vector, line number, count, severity, exploitability, remediation effort, remediation status and mitigation status.

To view additional columns or hide columns, select the down arrow in the upper-right corner of the Results view and hover over Show Columns.

When the Veracode results open in the Results view, you can double-select one of the entries to open the source file. Scroll the viewer window to highlight the flaw location if the source file is in an open Eclipse project in the current workspace.

Import scan results

You can download scan results from the Veracode Platform and import them into your IDE. You can also download and import results with the Results API.

To complete this task:

  1. In the Veracode Platform, from the left navigation, select Results.
  2. Select Download Report and select Detailed XML Export (XML) from the dropdown menu.
  3. Select Download. The report downloads as a ZIP file with the XML document and the associated XSD schema.
  4. In your IDE, select Veracode > View Results.
  5. Select Browse. Then, select the XML results file to open.
  6. Select Open.

The scan results open in the Results window. In the Results window you can perform these tasks to review the results while working in your development project:

  • Filter or search for discovered flaws.
  • Double-select a flaw to open the source file, if the solution is open, and place your cursor on the line that contains the flaw.
  • Right-select a flaw and select to view the related call stacks, mitigations, and other details.

Import scan results using the Results API

You can download static scan results from within your IDE using the Results API.

Before you begin:

To be able to download Veracode scan results using the Results API, you must have the Results API role.

To complete this task:

  1. Select Veracode > Download Results. If the Veracode menu is not visible, ensure you have correctly installed the plugin.

  2. If prompted, enter your API credentials. Optionally, select the Store API and key checkbox, so that you only have to enter your credentials one time.

  3. Select Submit.

  4. In the Download Results window, select the required application, scan type, specific scan. Then, select Download.

    The results download from Veracode into the Results view. By default, Veracode saves the results file to the Downloads directory on your local computer. For example, on Windows: C:\Users\{username}\Downloads.

  5. To change this default location, in your IDE, select Veracode > Options. Then, change the path in the Location field.

  6. Select Apply. Then, select OK.

Review scan results

You can view detailed information about static results in the Flaw Details view.

If you have an open Eclipse project in the current workspace and that project references a source file for a flaw, Veracode Static for Eclipse can open that source file and go to the line containing the flaw.

If source files are available, but are not referenced in any Eclipse project, you can create an Eclipse project and add references to the directory containing the source files. The directory structure of the binaries uploaded to Veracode must match the directory structure of the local source files. Veracode Static for Eclipse can open the source file of the flaw and locate the line where the flaw occurs as long as:

  • The folder structure within the Eclipse project is consistent with the Folder Path value in the Results view.
  • The filename of the source file matches the File Name value in the Results view.

Before you begin:

Ensure you have imported the scan results, which appear in the Results view.

To complete this task:

  1. In your IDE, select Window > Show View > Other > Veracode Views > Flaw Details
  2. Select an entry in the Results view.
  3. If the Results view is open and contains flaw data, right-select an entry and select Show Details.

Create an Eclipse project with references to source files

You can create an Eclipse project and add references to the directory containing the source files.

To complete this task:

  1. Select Window > Show View > Other > Java > Package Explorer.
  2. Right-select inside the Package Explorer view and select New > Project.
  3. Enter a name for the new project and select Finish.
  4. In the Package Explorer view, right-select the new project and select Import.
  5. Expand the General folder node, select File System. Then, select Next.
  6. Select Browse.
  7. Locate and select the parent directory that contains the path shown in the Folder Path column in the Results view. Then, select OK. For example, if the Folder Path column shows a path of org/apache/http/impl/io, select the parent directory that contains the org folder.
  8. Select the checkbox next to the name of the selected directory.
  9. Under Options, select Advanced.
  10. Select the Create links in workspace checkbox.
  11. Select the Create link locations relative to: PROJECT_LOC checkbox.
  12. select Finish.
  13. Confirm that the path to the files within the Project in Package Explorer matches the path in the Results view.

Review call stacks for findings

You can view call stacks for static findings from within your IDE.

Before you begin:

Ensure you have imported the scan results, which appear in the Results view.

To complete this task:

  1. In your IDE, select a finding in the Results view.
  2. Right-select the row you selected and, then, select Show Call Stacks to download the call stacks for that finding.
  3. In the Call Stacks view, double-select the finding to open the source file.
  4. Scroll the window to highlight the location of the finding within the source file. If the source file does not open, because it is not referenced in a project that is part of the current workspace, you can add references to that file.

Mitigate findings

You can mitigate flaws, including approving and rejecting existing mitigations, from within Eclipse.

Before you begin:

From within your IDE, you can comment on a flaw and set the mitigation status as:

  • Potential false positive
  • Design
  • OS environment
  • Network environment
  • Mitigate by design

You can also accept or reject a flaw already flagged as mitigated.

To complete this task:

  1. In your IDE, select Veracode > View Results.

  2. From the Results window, in the Flaw ID column, select the checkbox next to one or more flaws that you want to mitigate.

  3. From the Actions dropdown menu, select a mitigation action and select Mitigate.

  4. In the Flaw Mitigation Request window, enter your comments.

  5. Select Continue.

  6. If you see an access denied error message, check for these issues, resolve them, and try to mitigate again:

    • There is a policy or sandbox scan in progress for the application.
    • You are not working with the most recent scan results.
    • You do not have the Mitigation API role.
    • Another user has locked the flaw in the Veracode Platform.

Uninstall the Eclipse plugin

You can uninstall Veracode Static for Eclipse if you want to remove it from Eclipse.

To complete this task:

  1. Select Help > About Eclipse IDE.
  2. In the About Eclipse Platform window, select Installation Details.
  3. From the list of installed software, select the plugin. Then, select Uninstall.
Last updated on