Static for IntelliJ

note

This plugin only supports Static Analysis scans. To run Static Analysis and Software Composition Analysis scans, and use Veracode Fix to apply suggested code patches to flaws, we recommend you use Veracode Scan for JetBrains.

Veracode Static for IntelliJ is a plugin for IntelliJ IDEA and Android Studio that enables you to upload binaries to Veracode for static analysis. You can work with the scan results from within your IDE to review and mitigate security findings in your applications.

Veracode also offers Veracode Greenlight for IntelliJ, which scans your code and provides instant detection of security findings from within IntelliJ or Android Studio. Instant detection discovers issues earlier so that you can address them quickly and frequently.

Supported versions

Veracode has tested the following versions, but the integration might work with other versions.

IntelliJ IDEA Ultimate or Community 2022.3–2024.3.3

Supported languages and frameworks

See the packaging requirements.

Install the plugin

You install Veracode Static for IntelliJ the same way you install other plugins in IntelliJ IDEA or Android Studio.

Before you begin:

Before installing Veracode Static for IntelliJ, you must have:

• Uninstalled any previous versions of the plugin.
• Set the IntelliJ theme to either IntelliJ or Darcula.
• Stored your API credentials in an API credentials file.
• Ensured that all required Veracode IP addresses for the Veracode APIs and integrations are on the allowlist for your organization. The plugin uses these addresses to authenticate with Veracode. To update your allowlist, you might need to contact your IT team.

To complete this task:

1. Download Veracode Static for IntelliJ as a ZIP file from the Veracode Tools website.
2. In your IDE, select File > Settings > Plugins.
3. From the top right, select the gear icon, then select Install Plugin from Disk....
4. Locate and select the ZIP file that you downloaded.
5. Select OK.
6. When prompted, restart your IDE.

Install the plugin behind a proxy

You can install the plugin behind a proxy.

Before you begin:

Ensure you can configure the Veracode Static Plugin for your IDE to use the correct HTTPS proxy settings for accessing Veracode. If you are unsure about your proxy settings, contact your network IT team.

To complete this task:

1. In your IDE, select Veracode > Options > Tools > Veracode > Proxy.
2. Select Connect using the default HTTPS proxy settings if you want to use the HTTPS proxy settings that you previously configured within your IDE. If you want to specify different proxy settings, complete these steps.
3. Select Connect using the following proxy settings.
4. Select Edit.
5. Enter the proxy settings. Optionally, select the Requires Authentication option.
6. Select OK.
7. In the Preferences window, select OK.

Manage credentials

Store your API credentials or manage your password.

Store API Credentials in a keychain

You can store your API credentials securely in an API credentials file or in your IDE.

We recommend that you use an API credentials file. The plugin uses these credentials to access Veracode.

To complete this task:

1. In your IDE, select Veracode > Options > Tools > Veracode > Credentials.

2. Select an option for storing your API credentials:

   • Store credentials in external file: use the credentials in your API credentials file. By default, if your credentials are not currently stored in Eclipse, this option is selected. Select Test Credentials to verify that your credentials are valid.
   • Store credentials in Eclipse: select Add Credentials to enter and store your credentials in Eclipse. By default, if your credentials are currently stored in Eclipse, this option is selected.

3. Select OK.

4. If you selected to store your credentials, the Veracode Keychain window opens. Create a passphrase that Veracode can use as a security key to encrypt your Veracode credentials before saving them. Veracode uses the passphrase to create a digest that it stores securely. This digest expires every 12 hours, after which the plugin prompts you to enter the passphrase for creating a new digest.

5. Enter your passphrase and, then, confirm your passphrase.

6. Select Submit.

Change your password

You can change your passphrase at any time.

To complete this task:

1. In your IDE, select Veracode > Options > Tools > Veracode > Credentials.
2. Select Change Passphrase.
3. Enter and confirm your new passphrase.
4. Select Submit.

Reset your password

If your passphrase expires or you forget it, you can delete your passphrase and create a new one.

note

Resetting your passphrase automatically deletes your user credentials from storage.

To complete this task:

1. Close and restart your IDE.
2. Select Veracode > Upload and Scan.
3. Select Forget passphrase.
4. Select OK to delete your locally-stored credentials.
5. Select Create Passphrase to create a new passphrase.
6. Confirm your new passphrase and select Submit.

Scan your project

You can upload binaries of your applications in the Veracode Static Plugin for your IDE.

note

You cannot upload binaries during a scan. After the scan results are available, you can add more files.

The name of the uploaded file must be the same between scans of the same application. However, because filenames can change between builds of the same code, you can change the filename before uploading to keep the name consistent. If the Veracode Platform indicates that the filenames are different, select the New Filename column to rename the file, so that it matches the previous name for the same file.

Before you begin:

• You must have the Upload and Scan API role or Submitter role.
• To obtain detailed findings information in your scan results, the builder you use to package your code must generate debug symbol information.

To complete this task:

1. In your IDE, select Veracode > Upload and Scan.
2. If prompted, enter your API credentials. Select the checkbox to store your credentials so that you only have to enter them once.
3. In the Upload and Scan window, from the Application dropdown menu, select the application for which you want to upload binaries. To add an application, select Add Application and enter the required information such as policy control and organization information.
4. After adding an application, go to the Upload and Scan window, and, for Scan Type, select Policy Scan.
5. Select Create Scan.
6. In the Create Scan window, enter the name for the new scan and, optionally, the lifecycle stage.
7. Select Create.
8. In the Workspace Files table, use the browse icon to select the files you want to upload from your current projects.
9. Select Add to select any files not associated with a current project.
10. Select Upload.
11. When prompted to confirm, select Yes to continue the upload.
12. Select Yes to go directly to the Veracode prescan process after the upload completes. If you do not want the full scan to continue automatically, select No.
13. Select Begin Prescan at the top of the Upload Files table. Files you have previously uploaded to the selected scan already appear in the Uploaded Files section.
14. To delete previously uploaded files, select the specific files and select Delete. You cannot delete files that Veracode is currently scanning until the scan results are available. The status of a scan always appears in the top bar of the window.
15. When the prescan is complete, select View Prescan Results at the top of the Upload Files table. Veracode notifies you when your scan is complete and results are available.

Scan in a sandbox

You can create a sandbox into which you upload your application files from your IDE. You can then scan your application from the sandbox.

To complete this task:

1. In your IDE, select Veracode > Upload and Scan.

2. If prompted, enter your API credentials. Select Store username and password so that you only have to enter your credentials one time.

3. From the Application dropdown menu, select an application.

4. In the Scan Type field, select Sandbox Scan.

5. Select Create Sandbox and enter a name for the sandbox.

   note

   If you do not see the Create Sandbox button, contact Veracode Technical Support to enable this feature for your account.

6. In the Workspace Files table, select the browse icon to select the files to upload from your current projects. Select Add to select any files not associated with a current project.

7. Select Upload and, then, select Yes to confirm that you want to proceed with the upload.

8. Select Yes to go directly to the Veracode prescan process after the upload completes. If you do not want the full scan to continue automatically, select No.

9. Select Begin Prescan at the top of the Upload Files table.

10. After the prescan completes, select View Prescan Results to review the results.

Run a prescan

You can begin a Static Analysis prescan of your application binaries immediately after you upload all files to Veracode. Prescans send email notifications when they complete. You can also check for prescan results using the getprescanresults.do call.

Before you begin:

• You must have the Upload and Scan API role or Submitter role. To obtain detailed findings information in your scan results, the builder you use to package your code must generate debug symbol information.
• Ensure you have uploaded your files to Veracode for scanning.

To complete this task:

1. Select Yes in the window that opens. Prescan results appear in the Prescan Verification Results window informing you if the prescan succeeded or failed.
2. If the prescan succeeded, select the checkbox in the Scan? column and select Yes at the bottom of the window.

Debug prescan files

You can debug prescan files if your uploaded files are in error status.

To complete this task:

1. In your IDE, close the Prescan Verification Results window or select No at the bottom of the window.
2. Go back to Veracode > Upload and Scan.
3. If necessary, delete problematic binary files that you have previously uploaded, re-upload properly compiled binary files, or upload missing dependencies.
4. Select Begin Prescan in the top-right of the window. The prescan completes.
5. To start the full scan, select Yes at the bottom of the window.

Working with scan results

After you scan your project and import the results, they appear in the Results view.

To be able to see Veracode results, you must have the Results API role. To mitigate findings, you must have the Mitigation API role.

The Results view lists information about each finding, including the CWE ID, category, module name, folder path (if available), filename, function name, attack vector, line number, count, severity, exploitability, remediation effort, remediation status and mitigation status. To view additional columns or hide columns, select the icon to the right of the columns.

When the Veracode results open in the Results view, you can double-select one of the entries to open the source file. If the source file is in the current workspace and open in an IntelliJ project, scroll the viewer window to highlight the location of the finding.

Import scan results

You can download scan results from the Veracode Platform and import them into your IDE. You can also import results with the Results API.

To complete this task:

1. In the Veracode Platform, from the left navigation menu, select Results.

2. Select Download Report and select Detailed XML Export (XML) from the dropdown menu.

3. Select Download. The report downloads as a ZIP file with the XML document and the associated XSD schema.

4. In your IDE, select Veracode > View Results.

5. Select Browse. Then, select the XML results file to open.

6. Select Open. The scan results open in the Results window. In the Results window you can perform these tasks to review the results while working in your development project:

   • Filter or search for discovered flaws.
   • Double-select a flaw to open the source file, if the solution is open, and place your cursor on the line that contains the flaw.
   • Right-select a flaw and select to view the related call stacks, mitigations, and other details.

Import scan results using the Results API

You can download scan results from within your IDE using the Results API. You can also download and import results from the Veracode Platform.

Before you begin:

You must have the Results API role.

To complete this task:

1. Select Veracode > Download Results. If the Veracode menu is not visible, ensure you have correctly installed the plugin.

2. If prompted, enter your API credentials. Optionally, select the Store API and key checkbox, so that you only have to enter your credentials one time.

3. Select Submit.

4. In the Download Results window, select the required application, scan type, specific scan. Then, select Download.

   The results download from Veracode into the Results view. By default, Veracode saves the results file to the Downloads directory on your local computer. For example, on Windows: C:\Users\{username}\Downloads.

5. To change this default location, in your IDE, select Veracode > Options. Then, change the path in the Location field.

6. Select Apply, then OK.

Review scan results

You can view detailed information of Veracode scan results in the Flaw Details view from within your IDE.

Before you begin:

Ensure you have imported the scan results.

To complete this task:

1. In your IDE, select Window > Show View > Other > Veracode Views > Flaw Details.
2. Select an entry in the Results view.
3. If the Results view is open and contains flaw data, right-select an entry and select Show Details.

Review call stacks for findings

You can view call stacks for static findings from within your IDE.

Before you begin:

Ensure you have imported the scan results.

To complete this task:

1. In your IDE, select a finding in the Results view.
2. Right-select the row you selected and, then, select Show Call Stacks to download the call stacks for that finding.
3. In the Call Stacks view, double-select the finding to open the source file.
4. Scroll the window to highlight the location of the finding within the source file. If the source file does not open, because it is not referenced in a project that is part of the current workspace, you can add references to that file.

Mitigate findings

You can mitigate static flaws, including approving and rejecting existing mitigations, from within your IDE.

Before you begin:

• You must have the Mitigation API role.
• Ensure you have imported the scan results.

From within your IDE, you can comment on a flaw and set the mitigation status as:

• Potential false positive
• Design
• OS environment
• Network environment
• Mitigate by design

You can also accept or reject a flaw already flagged as mitigated.

To complete this task:

1. In your IDE, select Veracode > View Results.

2. From the Results window, in the Flaw ID column, select the checkbox next to one or more flaws that you want to mitigate.

3. From the Actions dropdown menu, select a mitigation action. Then, select Mitigate.

4. In the Flaw Mitigation Request window, enter your comments.

5. Select Continue.

6. If you see an access denied error message, check for these issues, resolve them, and try to mitigate again:

   • There is a policy or sandbox scan in progress for the application.
   • You are not working with the most recent scan results.
   • You do not have the Mitigation API role.
   • Another user has locked the flaw in the Veracode Platform.

Uninstall the plugin

You can uninstall Veracode Static for IntelliJ if you want to remove it from IntelliJ IDEA or Android Studio.

To complete this task:

1. In your IDE, select Veracode > Options > Plugins.
2. Select the Veracode Static for IntelliJ checkbox.
3. Select the gear icon on the right side of the Plugins window.
4. Select Uninstall.