Greenlight for IntelliJ

note

Veracode has deprecated Greenlight for IntelliJ and will only update it for maintenance releases. To continue running static analysis scans at the file level, migrate to Veracode Scan for JetBrains.

Veracode Greenlight for IntelliJ is a plugin for the JetBrains IntelliJ IDEA and Android Studio. You can use the extension to run Veracode Greenlight scans of your code at the file level.

Supported versions

Veracode has tested the following versions, but the integration might work with other versions.

IntelliJ IDEA Ultimate or Community 2019.3–2023.1

Supported languages and frameworks

Veracode has tested the following versions (if listed), but the integration might work with other versions.

• Java 8, 11, 17
• JavaScript
• Apache Tomcat JSP (IntelliJ only)

For more details, see the supported JavaScript libraries and technologies or the supported Java frameworks.

Kotlin is not supported.

Supported files

• Java classes that compile successfully. If the classes do not compile successfully, the plugin does not include them in the scan.
• Top-level packages that contain other packages, as well as non-minified JavaScript files.
• Non-minified code has not had unnecessary characters such as white space, new lines, comments, and block delimiters removed.
• JavaScript embedded in these file types: ASP, CSS, EHTML, ES, ES6, HANDLEBARS, HBS, HJS, HTM, HTML, JS, JSON, JSP (IntelliJ only), JSX, MAP, MUSTACHE, PHP, TS, TSX, and XHTML.

Install the plugin

You can install Veracode Greenlight for IntelliJ as a plugin in IntelliJ IDEA or Android Studio. The plugin is available from the JetBrains Marketplace.

Before you begin:

Before you begin, you must have:

• Confirmed you have a supported version of IntelliJ or Android Studio and the plugin supports your code language.
• Ensured you meet the Greenlight prerequisites.
• Starting with Veracode Greenlight for IntelliJ version 1.6.0, if you have IntelliJ version 2020 or greater, ensure you have installed JavaFX Runtime for Plugins from the JetBrains Marketplace.

To complete this task:

1. Go to the JetBrains Marketplace and search for veracode.
2. Select Veracode Greenlight to go to the Veracode Greenlight page.
3. Select the Versions tab to show the plugin versions.
4. Download the latest release of the Veracode Greenlight for IntelliJ plugin. The plugin is a ZIP file.
5. In IntelliJ, select File > Settings.
6. In the Settings window, select Plugins.
7. Select the gear icon and select Install Plugin from Disk.
8. Select the ZIP file for the Veracode Greenlight for IntelliJ plugin and select OK.
9. Select Accept to accept the notice and proceed with the installation.
10. Restart IntelliJ to complete the installation.

IntelliJ detects your API credentials file and you can start using the plugin to scan your code. If you have not configured an API credentials file, or there is an issue with the file or your credentials, you see the Veracode Configure Your Credentials window. You can also add your API credentials to IntelliJ.

Add your credentials

After installing Veracode Greenlight, you must add your Veracode credentials to the plugin before you can start a scan.

Before you begin:

You meet the Greenlight prerequisites.

To complete this task:

1. In IntelliJ or Android Studio, select Tools > Veracode Greenlight > Configure Preferences. The Settings window opens with Veracode Greenlight selected.

2. Select one of these options:

   • Store credentials in external file to use the API credentials stored in your API credentials file. To confirm that the credentials in the file are valid and that the plugin can authenticate with Veracode, select Test Credentials.
   • Store credentials in IntelliJ to add and store your API credentials in IntelliJ.

3. Select OK to save the settings and close the window.

Access the Greenlight tutorial

Veracode Greenlight provides a quick tutorial that appears when you install Greenlight for the first time. This getting-started type tutorial is accessible from the Veracode Greenlight dropdown menu for you to reference at any time.

Scan your project

You can scan your Java or JavaScript code, including a package file containing code, directly within your IDE.

Before you begin:

Ensure you meet the Greenlight prerequisites.

To complete this task:

1. In your IDE, open the project and select the Java or JavaScript file you want to scan.

2. Select Tools > Veracode Greenlight > Scan with Greenlight. Alternatively, you can select the green V icon in the menu bar or use the shortkey, Ctrl+Shift+G.

   You can also right-select a package file and select Veracode Greenlight > Scan with Greenlight to scan all files contained in the package.

3. After the scan is complete, review the security findings on the Veracode Greenlight tab.

   The Veracode Greenlight results are summarized in the Findings subtab. In the Best Practices subtab, Veracode indicates the CWEs protected against in the code. The scan level indicates whether Veracode scanned at the package level or file level.

4. Double-select a finding to locate the issue in the specific line of code in the scanned file.

5. Alternatively, right-select a finding to see the actions you can choose: open the finding in the scanned file, show the finding details in a separate Details pane, or filter by severity or CWE.

Enable auto-scan

You can enable auto-scan to automatically scan any saved, successfully compiled file that is in focus in your IDE.

Scans that you start yourself manually take precedence over scans that start automatically. Greenlight never initiates a new automatic scan while another scan is already running, whether it is an automatic scan or one you started yourself. When a scan is ongoing, Greenlight adds newly saved files to a queue in the order you save them.

The Veracode scan queue shows the priority in which Greenlight scans the files. The queue only shows automatically initiated scans because manually initiated scans always take precedence. The scans in the queue occur 30 seconds apart as long as the files compile successfully. When a file does not compile, a message appears in the log file and Greenlight does not scan the file.

Before you begin:

You meet the Greenlight prerequisites.

To complete this task:

1. In your IDE, select Tools > Veracode Greenlight > Auto-Scan.

2. Select to automatically start a Greenlight scan when you open or save a file.

   For Java projects, you can select the Build Automatically option and Greenlight automatically scans any file that is in focus in the IDE as soon as it saves.

Review findings

You can review the details of each finding from a Veracode Greenlight scan from wtihin your IDE.

Before you begin:

You have scanned your project.

To complete this task:

1. In your IDE, hover over any of the colored text to see a quick outline of the severity, the CWE ID and name, and a link to the details of the finding.
2. On the Findings tab, select a finding to locate the issue in the specific line of code.
3. On the Findings tab, in the Actions column, select Details to open the Details window. The Details window provides a description of the selected finding, the associated CWE, and recommended remediation steps.
4. Select to rescan the current file, or select to clear all the results on the Findings tab.

Underline findings in code

You can enable a setting that adds a red underline to the filename of files with detected findings.

Before you begin:

You have scanned your project.

To complete this task:

1. In your IDE, select Tools > Veracode Greenlight > Configure Preferences.
2. Select the checkbox under the Settings section.
3. Select OK.

A summary of your Veracode Greenlight scan is available on the Findings tab. The scan level indicates whether the scan occurred at the package level or file level. The scan results on the Best Practices subtab provide coding best practices and also list the CWEs against which your code is protected.

The scan results use colored lines to identify findings and best practices. The colors correlate to the finding severity type: Very High, High, Medium, and Low. For example, code that contains a finding is highlighted red and code that contains a best practice is underlined green.

Filter findings

You can filter results so that you can focus on the findings that are the most relevant and important.

The filter action is local to you to be able to filter out findings in the Veracode Greenlight results based on severity or CWE type. You can clear a filter manually at any time, and all filters clear automatically upon reboot or restart of the IDE.

Before you begin:

You have scanned your project.

To complete this task:

1. In your IDE, select the Set Filters icon in the top-right corner. Alternatively, you can use the shortkey, CTRL+8.
2. In the Set Filters window, clear the finding severities you do not want to see.
3. Enter the CWE text or ID of the CWE that you want to see.
4. Select Hide to move that CWE to the column of CWEs that you do not want to see.
5. Select OK. At any time, you can reselect any severities or move the CWEs in the Hide column back to the Show column.

Ignore findings

If there are known findings in your code that continually appear in your Greenlight results, you can ignore them to temporarily remove them from future results.

The ignore finding feature removes a finding from the list of all findings. You can show the finding again at any time. Veracode Greenlight ignores any repeated occurrences of an ignored finding in future scans and between IDE sessions. Ignored findings are only local to the developer and do not affect scans by other developers or any part of the application scan.

Before you begin:

You have scanned your project.

To complete this task:

1. In your IDE, select the Veracode Greenlight tab.
2. Select the row for a finding you want to hide.
3. In the Actions column, select Ignore.
4. In the Ignore Flaw window, review the details of the finding and select Ignore. The finding now appears in the Ignored subtab of the Veracode Greenlight tab of the IDE.
5. To undo the Ignore action, go to the Ignored subtab, select the finding and, in the Actions column, select Show.

Synchronize Gradle projects

If you scan a project built outside your IDE, and you notice errors during scanning, synchronizing your projects might resolve these errors.

IntelliJ and Android Studio provide an option for generating module files that they can use to synchronize the IDE and Gradle project files during a build. See the IntelliJ or Android Studio documentation for details about these files.

To complete this task:

1. Locate the Gradle project file build.gradle.

2. Add apply plugin:"idea" to build.gradle.

3. In the IDE, select File > Settings > Build, Execution, Deployment > Build Tools > Gradle.

4. Select Generate *.iml files for modules imported from Gradle to generate these files during the next build:

   • {project name}.ipr for project configuration
   • {project name}.iml for module configuration
   • {project name}.iws for workspace configuration

5. Select OK.

Enable debug logs

You can enable debug logs to get troubleshooting information for Veracode Greenlight. You can use this information to troubleshoot issues on your own or provide it to Veracode Technical Support.

To complete this task:

1. In your IDE, select Help > Edit Custom VM Options. A .vmoptions file opens.
2. In the .vmoptions file, add this property: -Dgreenlight.debug=true.
3. Save the file.

A new greenlight.log file now logs your Greenlight actions. The file is located in:

Windows

C:\users\username\AppData\Local\Temp\

macOS

In your terminal, run open $TMPDIR

Linux

/tmp