Vulnerable dependencies
Larger and more complex projects usually have number of third-party dependencies that help develop productivity, extending the common libraries and frameworks functionality.
However, relying on the third-party code arises the security issue whether you use vulnerable dependencies in your project.
The bundled IntelliJ IDEA Package Checker plugin that is powered by Checkmarx checks Gradle, Maven, NPM and PyPI dependencies for known vulnerabilities and lets you manage such cases by getting the information about a vulnerable dependency and update it to the newly released version.
Find vulnerable dependencies in the editor
Open the necessary file, for example, pom.xml or build.gradle, in the editor.
The IDE highlights packages that are considered vulnerable.
Place the caret at a highlighted package and press Alt+Enter to see the suggested fixes. They may suggest updating to a safe version or visiting the Checkmarx website to learn more about a particular vulnerability.
Change the inspection severity
You can change the severity of the inspection and make it, for example, "error" instead of "warning".
Press Control+Alt+S to open the IDE settings and then select
.From the options on the right, select the Security node and select the name of the inspection.
Change the severity, scope, and highlighting as needed. Click OK to save the changes.
Analyze code to find all vulnerable dependencies
In addition, you can run an inspection to display the list of all (declared and imported) vulnerable dependencies in the project.
Go to Show Vulnerable Dependencies.
and clickAlternatively, right-click a file in the Project tool window (for example, pom.xml or build.gradle) and select .
The result is displayed on the Vulnerable Dependencies tab of the Problems tool window ( or Alt+6) .
For each vulnerability, you can see an indication of the severity. Click a specific dependency to see more information about the vulnerabilities that were found in that dependency.
Report false positives
If you believe that a dependency identified as vulnerable is safe, you can report a false positive.
Click the required dependency on the Vulnerable Dependencies tab of the Problems tool window to open its description.
Locate the vulnerability that you want to report and click Report false positive.
You will see a notification with confirmation.