Greenlight for Eclipse

Veracode Greenlight for Eclipse is a plugin for the Eclipse IDE. You can use the extension to run Veracode Greenlight scans of your code at the file level.

Supported versions

Veracode has tested the following versions (if listed), but the integration might work with other versions.

• Eclipse 2022-12 (4.26) – 2023-09 (4.29)
• IBM RAD
• Spring Tool Suite

Supported languages and frameworks

Veracode has tested the following versions (if listed), but the integration might work with other versions.

• Java 8, 11, 17
• JavaScript
• Apache Tomcat JSP (Eclipse only)
• WebSphere JSP (IBM RAD only)

For more details, see the supported JavaScript libraries and technologies or the supported Java frameworks.

Supported files

• Java files and packages that compile correctly in Java projects.
• JavaScript embedded in these file types: ASP, CSS, EHTML, ES, ES6, HANDLEBARS, HBS, HJS, HTM, HTML, JS, JSX, JSON, JSP, MAP, MUSTACHE, PHP, TS, TSX, XHTML.
• Java Server Page (JSP) files and folders that contain JSP files.
• Non-minified JavaScript files and folders in JavaScript projects. Non-minified code has not had unnecessary characters, such as white space, new lines, comments, and block delimiters removed.

Install the Eclipse plugin

You can install Greenlight for Eclipse as a plugin from within the IDE.

Before you begin:

Before you begin, you must have:

• Confirmed you have a supported version of Eclipse and the plugin supports your code language.
• Ensured you meet the Greenlight prerequisites.

To complete this task:

1. In Eclipse, select Help > Install New Software.
2. In the Install window, select Add.
3. In the Add Repository window, enter Veracode Greenlight in the Name field.
4. In the Location field, enter URL: https://downloads.veracode.com/securityscan/eclipse
5. Select OK. Greenlight appears in the list of available software.
6. Select Next.
7. Select Finish.
8. If prompted, select Yes to restart. After your IDE restarts, you see the Veracode Greenlight menu.

Install the plugin from the Eclipse Marketplace

You can install Greenlight for Eclipse as a plugin from the Eclipse Marketplace.

Before you begin:

Before you begin, you must have:

• Confirmed you have a supported version of Eclipse and the plugin supports your code language.
• Ensured you meet the Greenlight prerequisites.

To complete this task:

1. Go to the Eclipse marketplace.
2. Select Install and drag the icon to your Eclipse workspace.
3. Follow the on-screen instructions in Eclipse to complete the installation. The Veracode Greenlight menu now appears at the top of the Eclipse workspace.

Add your credentials

After installing Greenlight for Eclipse, you must add your Veracode credentials to the plugin before you can start a scan.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. In Eclipse, select Window > Preferences.

2. From the left navigation, select Veracode Greenlight > Credentials.

3. Select an option for storing your API credentials:

   • Store credentials in external file: use the credentials in your API credentials file. By default, if your credentials are not currently stored in your IDE, this option is selected.
   • Store credentials in Eclipse: enter and store your credentials in your IDE. By default, if your credentials are currently stored in your IDE, this option is selected.

4. If you selected to use an API credentials file, select Test Credentials to verify that your credentials are valid.

5. Select Apply and Close.

Access the Greenlight tutorial

Veracode Greenlight provides a quick tutorial that appears when you install Greenlight for the first time. This getting-started type tutorial is accessible from the Veracode Greenlight dropdown menu for you to reference at any time.

Scan your project

You can scan your Java or JavaScript code, including a package file containing code, directly within your IDE.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. Open the project and select the Java or JavaScript file you want to scan.
2. Select Veracode Greenlight > Scan with Greenlight, or use the shortkey, Ctrl+6. You can also right-select a package file and select Veracode Greenlight > Scan with Greenlight to scan all files contained in the package.
3. After the scan is complete, review the security findings on the Veracode Greenlight tab. The Veracode Greenlight results are summarized in the Findings subtab. In the Best Practices subtab, Veracode indicates the CWEs protected against in the code. The scan level indicates whether Veracode scanned at the package level or file level.
4. Double-select a finding to locate the issue in the specific line of code in the scanned file.
5. Alternatively, right-select a finding to see the actions you can choose: open the finding in the scanned file, show the finding details in a separate Details pane, or filter by severity or CWE.

Results:

The details for each finding provide information about the CWE and specific remediation advice on what you can do to fix the code.

Log file location for the scan:

Windows

C:\users\username\AppData\Local\Temp\

macOS

In your terminal, run open $TMPDIR

Linux

/tmp

To clear all the results of the Veracode Greenlight scan, select the eraser icon in the top-right corner or use the shortkey, Ctrl+0.

Enable auto-scan

You can enable auto-scan to have Veracode Greenlight automatically scan any saved, successfully compiled file that is in focus in your IDE. Scans that you start yourself manually take precedence over scans that start automatically.

Greenlight never initiates a new automatic scan while another scan is already running, whether it is an automatic scan or one you started yourself. When a scan is ongoing, Greenlight adds newly saved files to a queue in the order you save them. The Veracode scan queue shows the priority in which Greenlight scans the files. The queue only shows automatically initiated scans because manually initiated scans always take precedence. The scans in the queue occur 30 seconds apart as long as the files compile successfully.

When a file does not compile, a message appears in the log file and Greenlight does not scan the file.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. Go to Veracode Greenlight > Configure Preferences > Veracode Greenlight > Settings.
2. Select to automatically start a Greenlight scan when you open or save a file.
3. Select Apply and Close. For Java projects, you can select the Build Automatically option and Greenlight automatically scans any file that is in focus in the IDE as soon as it saves.

Cancel a scan

You can cancel an ongoing Greenlight scan in Eclipse. When scanning files in Eclipse, the progress of a scan displays in the standard Eclipse progress view.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. Go to the Eclipse Progress pane.
2. Select the red square icon to the right of the Veracode Greenlight scan progress bar.

Scan JSP files from a Tomcat Server

You can use Greenlight for Eclipse with Apache Tomcat to scan JSP files. You enable the Tomcat application server to parse and compile the Java embedded in the JSP and create a class file for Greenlight to submit for scanning.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. Configure the local Tomcat server and deploy the project to that server.
2. Make an HTTP request to that Tomcat server for each JSP resource you want to scan.

Scan JSP files from a WebSphere server

You can use Greenlight for Eclipse to scan JSP files from a WebSphere Server.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. Clean the server of data and restart the server in debug mode. Review your WebSphere documentation for information on these tasks.

2. Configure the local WebSphere server with these JSP engine configuration parameters for the project:

   jsp-attribute name="keepgenerated" value="false" /
   jsp-attribute name="keepGeneratedclassfiles" value="false" /
   jsp-attribute name="deleteClassFilesBeforeRecompile" value="true" /

Troubleshoot scans

Veracode Greenlight for Eclipse only supports Eclipse binaries, which means you may experience problems when scanning projects built with third-party build automation tools, such as Maven or Gradle. If you are compiling with Maven or Gradle, we recommend that you use the Eclipse plugin for that build tool to import your files.

After you import the project into Eclipse using the Maven or Gradle plugin, if you are still experiencing issues scanning your Eclipse project with Greenlight, try these actions.

note

Any project must build successfully outside of Eclipse. If you have problems such as classpath or buildpath errors, Eclipse cannot build the files needed to submit a scan to Greenlight.

Troubleshoot Gradle projects

After you import the project into Eclipse using the Gradle plugin, if you are still experiencing issues scanning your Eclipse project with Veracode Greenlight, try using the Java plugin. For example, the build.gradle file must contain apply plugin: 'java'.

Troubleshooting Maven projects

If you compiled your files using Maven and then imported these files, ensure the .project file contains the Java and Maven natures.

To add the natures manually, add the following code to your .project file.

<buildSpec>
    <buildCommand>
        <name>org.eclipse.jdt.core.javabuilder</name>
        <arguments></arguments>
    </buildCommand>
    <buildCommand>
        <name>org.eclipse.m2e.core.maven2Builder</name>
        <arguments></arguments>
    </buildCommand>
</buildSpec>
<natures>
    <nature>org.eclipse.jdt.core.javanature</nature>
    <nature>org.eclipse.m2e.core.maven2Nature</nature>
</natures>

Monitor scan status

When using Greenlight for Eclipse, in the Project Explorer, the following icons provide an at-a-glance status of the files included in each scan.

• : scan in progress
• : no findings found
• : scan failed
• : findings found

You can see the progress of a scan in the bottom right of the Eclipse window. The scan times out after one minute if there are any issues.

Filter findings

You can filter results so that you can focus on the findings that are the most relevant and important.

The filter action is local to you to be able to filter out findings in the Veracode Greenlight results based on severity or CWE type. You can clear a filter at any time and all filters are cleared upon reboot or restart of the IDE.

Before you begin:

You have scanned your project.

To complete this task:

1. In your IDE, select the Set Filters icon in the top-right corner. Alternatively, you can use the shortkey, Ctrl+8.
2. In the Set Filters window, clear the finding severities you do not want to see.
3. Enter the CWE text or ID of the CWE that you want to see.
4. Select Hide to move that CWE to the column of CWEs that you do not want to see.
5. Select OK. At any time, you can reselect any severities or move the CWEs in the Hide column back to the Show column.

Ignore findings

If there are known findings in your code that continually appear in your Veracode Greenlight results, you can ignore them to temporarily remove them from the Greenlight results.

The ignore finding feature removes a finding from the list of all findings. You can show the finding again at any time. Veracode Greenlight ignores any repeated occurrences of an ignored finding in future scans and between IDE sessions. Ignored findings are only local to the developer and do not affect scans by other developers or any part of the application scan.

Before you begin:

You have scanned your project.

To complete this task:

1. In your IDE, select the Veracode Greenlight tab.
2. Select the row for a finding you want to hide. Then, in the Actions column, select Ignore.
3. In the Ignore Flaw window, review the details of the finding and select Ignore. The finding now appears in the Ignored subtab of the Veracode Greenlight tab of the IDE.
4. To undo the Ignore action, go to the Ignored subtab, select the finding and, in the Actions column, select Show.

Enable debug logs

You can enable debug logs to get troubleshooting information for Veracode Greenlight. You can use this information to troubleshoot issues on your own or provide it to Veracode Technical Support.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. Search your computer for the eclipse.ini file. The file is usually next to your Eclipse IDE executable file you used to install Eclipse.
2. Edit the eclipse.ini file and add this property: -Dgreenlight.debug=true.
3. Save the file.

A new greenlight.log file now logs your Greenlight actions. The file is located in:

Windows

C:\users\username\AppData\Local\Temp\

macOS

In your terminal, run open $TMPDIR

Linux

/tmp

Uninstall the Eclipse plugin

Uninstall Greenlight for Eclipse and, optionally, delete all Eclipse files if you need the storage capacity.

To complete this task:

1. In the IDE, select Help > About Eclipse > Installation Details.
2. On the Installed Software tab, select Veracode Greenlight and select Uninstall.
3. When prompted to confirm your action, select Finish. Greenlight for Eclipse is now disabled, but not completely removed from your computer.
4. Exit Eclipse.
5. Manually remove all the files associated with Veracode Greenlight for Eclipse from the eclipse/features directory.
6. Manually remove Veracode Greenlight for Eclipse from the eclipse/plugins directory. Refer to the Eclipse documentation for more information on deleting files.
7. Run the Eclipse command -clearPersistedState to remove any metadata that Eclipse might have cached.