• Stars
    star
    153
  • Rank 243,368 (Top 5 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

JFrog IntelliJ IDEA plugin

JFrog IntelliJ IDEA Plugin

JFrog IntelliJ IDEA Plugin Marketplace Installs

Scanned by Frogbot Build status Marketplace

Table of Contents

About this Plugin

The plugin allows developers to find and fix security vulnerabilities in their projects and to see valuable information about the status of their code by continuously scanning it locally with JFrog Xray.

What security capabilities do we provide?

Software Composition Analysis (SCA)

Scan your project dependencies for security issues.

CVE Research and Enrichment

For selected security issues, get leverage-enhanced CVE data that is provided by our JFrog Security Research team. Prioritize the CVEs based on:

  • JFrog Severity: The severity given by the JFrog Security Research team after the manual analysis of the CVE by the team. CVEs with the highest JFrog security severity are the most likely to be used by real-world attackers. This means that you should put effort into fixing them as soon as possible.
  • Research Summary: The summary that is based on JFrog's security analysis of the security issue provides detailed technical information on the specific conditions for the CVE to be applicable.
  • Remediation: Detailed fix and mitigation options for the CVEs

You can learn more about enriched CVEs here.

Check out what our research team is up to and stay updated on newly discovered issues by clicking on this link: https://research.jfrog.com

Advanced Scans

Requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.

With advanced Contextual Analysis, understand the applicability of CVEs in your application and utilize JFrog Security scanners to analyze the way you use 3rd party packages in your projects. Automatically validate some high-impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and reduce false positives and vulnerability noise with smart CVE analysis.

To learn more, see here.

Additional Perks

  • Security issues are easily visible inline.
  • The results show issues with context, impact, and remediation.
  • View all security issues in one place, in the JFrog tab.
  • For Security issues with an available fixed version, you can upgrade to the fixed version within the plugin.
  • Track the status of the code while it is being built, tested, and scanned on the CI server.

In addition to IntelliJ IDEA, the plugin also supports the following IDEs:

  • WebStorm
  • PyCharm
  • Android Studio
  • GoLand

Supported Packages

Features Go Maven Gradle Groovy Gradle Kotlin npm Yarn v1 Python
SCA βœ… βœ… βœ… βœ… βœ… βœ… βœ…
CVE Research and Enrichment βœ… βœ… βœ… βœ… βœ… βœ… βœ…
Upgrade vulnerable dependencies to fixed versions βœ… βœ… βœ… βœ… βœ… βœ… ❌
Contextual Analysis ❌ ❌ ❌ ❌ βœ… ❌ βœ…

Getting Started

  1. Install the JFrog IntelliJ IDEA Plugin via the Plugins tab in the IDE settings, or in JetBrains Marketplace.
  2. Connect the plugin to your JFrog environment.
  3. Start using the plugin.

Connecting to Your JFrog Environment

Set Up a FREE JFrog Environment in the Cloud

Need a FREE JFrog environment in the Cloud, so that JFrog IntelliJ IDEA Plugin can connect to it? Just run one of the following commands in your terminal. The commands will do the following:

  1. Install JFrog CLI on your machine.
  2. Create a FREE JFrog environment in the Cloud for you.
  3. Configure IntelliJ IDEA to connect to your new environment.

MacOS and Linux using cURL

curl -fL https://getcli.jfrog.io?setup | sh

Windows using PowerShell

powershell "Start-Process -Wait -Verb RunAs powershell '-NoProfile iwr https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/[RELEASE]/jfrog-cli-windows-amd64/jf.exe -OutFile $env:SYSTEMROOT\system32\jf.exe'" ; jf setup
Connect the Plugin to an Existing JFrog Environment

You can connect the plugin to your JFrog environment:

In the IDE Settings Once the plugin is successfully installed, connect the plugin to your instance of the JFrog Platform:
  1. If your JFrog Platform instance is behind an HTTP proxy, configure the proxy settings as described here. Manual proxy configuration is supported since version 1.3.0 of the JFrog IntelliJ IDEA Plugin. Auto-detect proxy settings is supported since version 1.7.0.
  2. Under Settings (Preferences) | Other Settings, click JFrog Global Configuration.
  3. Set your JFrog Platform URL and login credentials.
  4. Test your connection to Xray using the Test Connection button.

Using Environment Variables The plugin also supports connecting to your JFrog environment using environment variables:
  1. Under Settings (Preferences) | Other Settings, click JFrog Global Configuration.
  2. Mark Load connection details from environment variables.

You may provide basic auth credentials or access token as follows:

Note: For security reasons, it is recommended to unset the environment variables after launching the IDE.

  • JFROG_IDE_PLATFORM_URL - JFrog Platform URL
  • JFROG_IDE_USERNAME - JFrog Platform username
  • JFROG_IDE_PASSWORD - JFrog Platform password
  • JFROG_IDE_ACCESS_TOKEN - JFrog Platform access token

Notes:

  • If your JFrog Platform instance uses a domain with a self-signed certificate, add the certificate to IDEA as described here.
  • From JFrog Xray version 1.9 to 2.x, IntelliJ IDEA users connecting to Xray from IntelliJ are required to be granted the β€˜View Components’ action in Xray.
  • From JFrog Xray version 3.x, as part of the JFrog Platform, IntelliJ IDEA users connecting to Xray from IntelliJ require β€˜Read’ permission. For more information, see here.

Apply Xray Policies

You can configure the JFrog IntelliJ IDEA Plugin to use the security policies you create in Xray. Policies enable you to create a set of rules, in which each rule defines security criteria, with a corresponding set of automatic actions according to your needs. Policies are enforced when applying them to Watches.

If you'd like to use a JFrog Project that is associated with the policy, follow these steps:

  1. Create a JFrog Project, or obtain the relevant JFrog Project key.
  2. Create a Policy on JFrog Xray.
  3. Create a Watch on JFrog Xray and assign your Policy and Project as resources to it.
  4. Configure your Project key in the plugin settings: under Settings (Preferences) | Other Settings, click JFrog Global Configuration and go to the Settings tab.

If however your policies are referenced through Xray Watches, follow these steps instead:

  1. Create one or more Watches on JFrog Xray.
  2. Configure your Watches in the plugin settings: under Settings (Preferences) | Other Settings, click JFrog Global Configuration and go to the Settings tab.

Using the Plugin

After the JFrog Plugin is installed, a new JFrog panel is added at the bottom of the screen. Opening the JFrog panel displays two views:

  • The Local view displays information about the local code as it is being developed in the IDE. JFrog Xray continuously scans the project's dependencies and source code locally. The information is displayed in the Local view.
  • The CI view allows the tracking of the code as it is built, tested and scanned by the CI server. It displays information about the status of the build and includes a link to the build log on the CI server.

The Local View

The JFrog IntelliJ IDEA Plugin continuously scans your project's dependencies with JFrog Xray and displays this information under the Local view. It allows developers to view vulnerability information about their dependencies and source code in their IDE. With this information, a developer can make an informed decision on whether to use a component or not before it gets entrenched into the organization’s product.

Scanning a Project

Scan your project by clicking the Run Scan button. After the scan is done, a list of vulnerable files will appear.

Each descriptor file (like pom.xml in Maven, go.mod in Go, etc.) in the list contains vulnerable dependencies, and each dependency contains the vulnerabilities themselves.

By right-clicking on a dependency line, you can jump to the dependency's declaration in the descriptor file (if it's a direct dependency), or to direct dependencies that depend on the vulnerable component (if any).

By right-clicking on a vulnerability line, you can create an Ignore Rule in Xray.

Creating Ignore Rules is only available when a JFrog Project or Watch is defined.

Viewing Vulnerability Details

Clicking a vulnerability in the list will open the vulnerability details view. This view contains information about the vulnerability, the vulnerable component, fixed versions, impact paths and much more.

Contextual Analysis

Requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.

Xray automatically validates some high and very high impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities need to be fixed.

Contextual Analysis data includes:

  • Contextual Analysis status: Contextual Analysis results indicating if a CVE was found applicable in your application or not applicable.
  • Contextual Analysis breakdown: An explanation provided by our research team as to why the CVE was found applicable or not applicable.
  • Remediation: Contextual mitigation steps and options provided by our research team that assist you with remediating the issues.

Severity Icons

The icon demonstrates the top severity issue of a selected component and its transitive dependencies. The following table describes the severities from highest to lowest:

Icon Severity
Critical
High
Medium
Low
Unknown
Not Applicable

The CI View

The JFrog IntelliJ IDEA Plugin allows you to view information about your builds directly from your CI system. This allows developers to keep track of the status of their code, while it is being built, tested and scanned as part of the CI pipeline, regardless of the CI provider used.

This information can be viewed inside IntelliJ IDEA, from the JFrog Panel, under the CI tab.

The following details can be made available in the CI view:

  • Status of the build run (passed or failed)
  • Build run start time
  • Git branch and latest commit message
  • Link to the CI run log
  • Security information about the build artifacts and dependencies

How Does It Work?

The CI information displayed in IDEA is pulled by the JFrog IDEA Plugin directly from JFrog Artifactory. This information is stored in Artifactory as part of the build-info, which is published to Artifactory by the CI server. Read more about build-info in the Build Integration documentation page. If the CI pipeline is also configured to scan the build-info by JFrog Xray, the JFrog IDEA Plugin will pull the results of the scan from JFrog Xray and display them in the CI view as well.

Setting Up CI Integration

Set up your CI pipeline to expose information, so that it is visible in IDEA as described here.

Next, follow these steps:

  1. Under Settings (Preferences) | Other Settings, click JFrog Global Configuration. configure the JFrog Platform URL and the user you created.
  2. Under Settings (Preferences) | Other Settings, click JFrog CI Integration. Set your CI build name in the Build name pattern field. This is the name of the build published to Artifactory by your CI pipeline. You have the option of setting * to view all the builds published to Artifactory.
  3. Click Apply and open the CI tab under the JFrog panel at the bottom of the screen and click the Refresh button.

Android Studio Support for JCEF

The JFrog IntelliJ IDEA Plugin uses JCEF (Java Chromium Embedded Framework) to create a webview component in the plugin's tool window.

Most IntelliJ-based IDEs use a boot runtime that contains JCEF by default.

Android Studio and some older versions of other IntelliJ-based IDEs use a boot runtime that doesn't contain JCEF by default, and therefore the plugin can't be loaded in them.

To solve this issue, open the "Choose Boot Runtime for the IDE" dialog where you can change the boot runtime to one that contains JCEF.

Troubleshooting

The JFrog IntelliJ IDES Plugin uses the IntelliJ IDEA log files. By default, the log level used by the plugin is INFO.

You have the option of increasing the log level to DEBUG. Here's how to do it:

  1. Go to Help | Diagnostic Tools | Debug Log Settings...
  2. Inside the Custom Debug Log Configuration window add the following line:
#com.jfrog.ide.idea.log.Logger

To see the Intellij IDEA log file, depends on the IDE version and OS as described here, go to Help | Show/reveal Log in Explorer/finder/Konqueror/Nautilus.

Reporting Issues

Please report issues by opening an issue on Github.

Contributions

We welcome community contribution through pull requests. To help us improve this project, please read our Contribution guide.

Release Notes

The release notes are available on Marketplace.

More Repositories

1

project-examples

Small projects in universal build ecosystems to configure CI and Artifactory
C#
974
star
2

jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
Go
532
star
3

artifactory-user-plugins

Sample Artifactory User Plugins
Groovy
356
star
4

artifactory-docker-examples

Examples for using Artifactory Docker distribution in various environments
Shell
330
star
5

artifactory-client-java

Artifactory REST Client Java API bindings
Java
318
star
6

frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. πŸ€–
Go
299
star
7

terraform-provider-artifactory

Terraform provider to manage JFrog Artifactory
Go
275
star
8

charts

JFrog official Helm Charts
Shell
255
star
9

setup-jfrog-cli

Set up JFrog CLI in your GitHub Actions workflow
TypeScript
245
star
10

jfrog-client-go

All go clients for JFrog products
Go
211
star
11

log4j-tools

Java
168
star
12

gocenter

The Github README for JFrog Go-center. Use this for reporting issues
164
star
13

jfrog-vscode-extension

JFrog VS-Code Extension
TypeScript
151
star
14

terraform-provider-xray

Terraform provider to manage JFrog Xray
Go
149
star
15

terraform-provider-project

Terraform provider to manage JFrog Projects
Go
148
star
16

build-info

Artifactory's open integration layer for CI build servers
Java
146
star
17

artifactory-scripts

Scripts for Artifactory (Usually, for REST API), community driven.
Groovy
143
star
18

text4shell-tools

Python
104
star
19

jfrog-spring-tools

Python
80
star
20

JFrog-Cloud-Installers

Template to deploy Artifactory Enterprise cluster.
CSS
78
star
21

jfrog-docker-desktop-extension

🐸 Scans any of your local Docker images for security vulnerabilities. πŸ‹
TypeScript
74
star
22

nexus2artifactory

NexusToArtifactory - A tool designed to ease migration from Sonatype Nexus to JFrog Artifactory.
Python
67
star
23

nimbuspwn-tools

Shell
64
star
24

build-info-go

build-info-go is a Go library and a CLI, which allows generating build-info for a source code project.
Go
63
star
25

jfrog-npm-tools

Python
54
star
26

cocoapods-art

CocoaPods Plugin to work against Artifactory Repository
Ruby
53
star
27

jfrog-cli-plugins-reg

Go
52
star
28

kubenab

Kubernetes Admission Webhook to enforce pulling of Docker images from the private registry.
Go
46
star
29

froggit-go

Froggit-Go is a universal Go library, allowing to perform actions on VCS providers.
Go
45
star
30

jfrog-CVE-2023-25136-OpenSSH_Double-Free

Python
43
star
31

vault-plugin-secrets-artifactory

HashiCorp Vault Secrets Plugin for Artifactory
Go
42
star
32

teamcity-artifactory-plugin

TeamCity plugin that enables traceable build artifacts with Artifactory
Java
42
star
33

jfrog-azure-devops-extension

JavaScript
41
star
34

chartcenter

The Central Helm Repository for the Community
Dockerfile
41
star
35

bamboo-artifactory-plugin

Atlassian Bamboo plugin that enables traceable build artifacts with Artifactory
Java
40
star
36

jfrog-docker-repo-simple-example

Getting started with JFrog Docker Repos - Example
Dockerfile
39
star
37

jfrog-CVE-2022-21449

Python
38
star
38

cve-2024-3094-tools

Shell
37
star
39

artifactory-cli-go

Artifactory CLI written in Golang
Go
33
star
40

jfrog-cli-core

Go
32
star
41

gitlab-templates

Templates for CI/CD in GitLab using JFrog CLI
30
star
42

docker2artifactory

Python
29
star
43

mlflow-jfrog-plugin

Python
28
star
44

log-analytics-prometheus

JFrog Prometheus Log Analytics Integration
27
star
45

artifactory-docker-builder

Groovy
27
star
46

auto-mat

A docker container to generate heap dump reports and indexes for eclipse MAT
Java
26
star
47

kubexray

JFrog KubeXray scanner on Kubernetes
Go
25
star
48

artifactory-maven-plugin

A Maven plugin to resolve artifacts from Artifactory, deploy artifacts to Artifactory, capture and publish build info.
Java
23
star
49

jfrog-registry-operator

Enhancing AWS Security: JFrog's Seamless Integration and the Power of AssumeRole
Go
22
star
50

artifactory-gradle-plugin

JFrog Gradle plugin for Build Info extraction and Artifactory publishing.
Java
21
star
51

log-analytics

JFrog Log Analytics
Shell
19
star
52

polkit-tools

Shell
18
star
53

jfrog-cli-plugins

Go
17
star
54

gofrog

A collection of go utilities
Go
16
star
55

bower-art-resolver

JavaScript
15
star
56

jfrog-openssl-tools

Python
15
star
57

DevRel

Java
12
star
58

artifactory-sbt-plugin

The SBT Plugin for Artifactory resolve and pulish
Scala
12
star
59

artifactory-user-plugins-devenv

Development Environment for writting Artifactory User Plugins
Shell
12
star
60

aws-codestar

Artifactory-Code Star integration
Shell
12
star
61

gradle-dep-tree

Gradle plugin that reads the Gradle dependencies of a given Gradle project, and generates a dependency tree.
Java
12
star
62

SwampUp2022

Shell
12
star
63

jfrog-client-js

Xray Javascript Client
TypeScript
11
star
64

maven-anno-mojo

Write Maven plugins using annotations
Java
11
star
65

jfrog-ecosystem-integration-env

A Docker image containing all the tools JFrog CLI integrates with and supports.
Dockerfile
11
star
66

bamboo-jfrog-plugin

Easy integration between Bamboo and the JFrog Platform.
Java
10
star
67

xray-client-java

Xray Java Client
Java
9
star
68

artifactory-bosh-release

Bosh release of Artifactory for the PCF
HTML
9
star
69

msbuild-artifactory-plugin

Artifactory integration with MSBuild
C#
8
star
70

documentation

Go
8
star
71

log-analytics-splunk

JFrog Splunk Log Analytics Integration
JavaScript
8
star
72

docker-compose-demos

JFrog example demos using docker compose
Shell
8
star
73

jfrog-visual-studio-extension

C#
8
star
74

log-analytics-elastic

JFrog Elastic Fluentd Kibana Log Analytics Integration
8
star
75

jfrog-ui-essentials

JavaScript
8
star
76

jfrog-ide-webview

JFrog-IDE-Webview is a React-based HTML page designed to be seamlessly embedded within JFrog VS Code Extension and the JFrog IDEA Plugin.
TypeScript
8
star
77

go-mockhttp

Go
7
star
78

ide-plugins-common

Common code used by the JFrog Idea Plugin and the JFrog Eclipse plugin
Java
7
star
79

jfrog-pipelines-task

7
star
80

nuget-deps-tree

This npm package reads the NuGet dependencies of a .NET project, and generates a dependencies tree object.
TypeScript
7
star
81

log-analytics-datadog

JFrog Datadog Log Analytics Integration
Dockerfile
7
star
82

knife-art

Knife Artifactory integration
Ruby
7
star
83

jfrog-pipelines-go-task

Makefile
7
star
84

jfrog-mission-control-2.0

Jfrog Mission Control 2.0 example scripts
Groovy
7
star
85

jfrog-cli-plugin-template

Go
6
star
86

npm_domain_check

Python
6
star
87

go-license-discovery

A go library for matching text against known OSS licenses
Go
6
star
88

sample-soleng-python-project

Python
6
star
89

jfrog-distroless

Starlark
6
star
90

maven-dep-tree

Maven plugin that reads the Maven dependencies of a given Maven project, and generates a dependency tree.
Java
6
star
91

terraform-provider-pipeline

Terraform provider to manage Artifactory Pipelines
Go
6
star
92

docker-remote-util

A groovy util library to interact with docker remote api
Groovy
6
star
93

webapp-examples

Examples of Web Application that use Artifactory as a backend
CSS
6
star
94

jfrog-pipelines-jenkins-example

Go
5
star
95

jfrog-cli-security

Go module that encompasses the security commands of JFrog CLI
Go
5
star
96

fan4idea

Java
4
star
97

live-logs

Go
4
star
98

gocmd

Go
4
star
99

jfrog-pipelines-docker-sample

Shell
4
star
100

SwampUp2023

HCL
4
star