Table of Contents

• About this Plugin
• Supported Packages
• Getting Started
  • Connecting to Your JFrog Environment
  • Apply Xray Policies
• Using the Plugin
  • The Local View
    • Scanning a Project
    • Viewing Vulnerability Details
    • Contextual Analysis
    • Severity Icons
  • The CI View
    • How Does It Work?
    • Setting Up CI Integration
• Android Studio Support for JCEF
• Troubleshooting
• Reporting Issues
• Contributions
• Release Notes

About this Plugin

The plugin allows developers to find and fix security vulnerabilities in their projects and to see valuable information about the status of their code by continuously scanning it locally with JFrog Xray.

What security capabilities do we provide?

Software Composition Analysis (SCA)

Scan your project dependencies for security issues.

CVE Research and Enrichment

For selected security issues, get leverage-enhanced CVE data that is provided by our JFrog Security Research team. Prioritize the CVEs based on:

• JFrog Severity: The severity given by the JFrog Security Research team after the manual analysis of the CVE by the team. CVEs with the highest JFrog security severity are the most likely to be used by real-world attackers. This means that you should put effort into fixing them as soon as possible.
• Research Summary: The summary that is based on JFrog's security analysis of the security issue provides detailed technical information on the specific conditions for the CVE to be applicable.
• Remediation: Detailed fix and mitigation options for the CVEs

You can learn more about enriched CVEs here.

Check out what our research team is up to and stay updated on newly discovered issues by clicking on this link: https://research.jfrog.com

Advanced Scans

Requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.

With advanced Contextual Analysis, understand the applicability of CVEs in your application and utilize JFrog Security scanners to analyze the way you use 3rd party packages in your projects. Automatically validate some high-impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and reduce false positives and vulnerability noise with smart CVE analysis.

To learn more, see here.

Additional Perks

• Security issues are easily visible inline.
• The results show issues with context, impact, and remediation.
• View all security issues in one place, in the JFrog tab.
• For Security issues with an available fixed version, you can upgrade to the fixed version within the plugin.
• Track the status of the code while it is being built, tested, and scanned on the CI server.

In addition to IntelliJ IDEA, the plugin also supports the following IDEs:

• WebStorm
• PyCharm
• Android Studio
• GoLand

Supported Packages

Getting Started

1. Install the JFrog IntelliJ IDEA Plugin via the Plugins tab in the IDE settings, or in JetBrains Marketplace.
2. Connect the plugin to your JFrog environment.
3. Start using the plugin.

Connecting to Your JFrog Environment

curl -fL https://getcli.jfrog.io?setup | sh

powershell "Start-Process -Wait -Verb RunAs powershell '-NoProfile iwr https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/[RELEASE]/jfrog-cli-windows-amd64/jf.exe -OutFile $env:SYSTEMROOT\system32\jf.exe'" ; jf setup

Notes:

• If your JFrog Platform instance uses a domain with a self-signed certificate, add the certificate to IDEA as described here.
• From JFrog Xray version 1.9 to 2.x, IntelliJ IDEA users connecting to Xray from IntelliJ are required to be granted the ‘View Components’ action in Xray.
• From JFrog Xray version 3.x, as part of the JFrog Platform, IntelliJ IDEA users connecting to Xray from IntelliJ require ‘Read’ permission. For more information, see here.

Apply Xray Policies

You can configure the JFrog IntelliJ IDEA Plugin to use the security policies you create in Xray. Policies enable you to create a set of rules, in which each rule defines security criteria, with a corresponding set of automatic actions according to your needs. Policies are enforced when applying them to Watches.

If you'd like to use a JFrog Project that is associated with the policy, follow these steps:

1. Create a JFrog Project, or obtain the relevant JFrog Project key.
2. Create a Policy on JFrog Xray.
3. Create a Watch on JFrog Xray and assign your Policy and Project as resources to it.
4. Configure your Project key in the plugin settings: under Settings (Preferences) | Other Settings, click JFrog Global Configuration and go to the Settings tab.

If however your policies are referenced through Xray Watches, follow these steps instead:

1. Create one or more Watches on JFrog Xray.
2. Configure your Watches in the plugin settings: under Settings (Preferences) | Other Settings, click JFrog Global Configuration and go to the Settings tab.

Using the Plugin

After the JFrog Plugin is installed, a new JFrog panel is added at the bottom of the screen. Opening the JFrog panel displays two views:

• The Local view displays information about the local code as it is being developed in the IDE. JFrog Xray continuously scans the project's dependencies and source code locally. The information is displayed in the Local view.
• The CI view allows the tracking of the code as it is built, tested and scanned by the CI server. It displays information about the status of the build and includes a link to the build log on the CI server.

The Local View

The JFrog IntelliJ IDEA Plugin continuously scans your project's dependencies with JFrog Xray and displays this information under the Local view. It allows developers to view vulnerability information about their dependencies and source code in their IDE. With this information, a developer can make an informed decision on whether to use a component or not before it gets entrenched into the organization’s product.

Scanning a Project

Scan your project by clicking the Run Scan button. After the scan is done, a list of vulnerable files will appear.

Each descriptor file (like pom.xml in Maven, go.mod in Go, etc.) in the list contains vulnerable dependencies, and each dependency contains the vulnerabilities themselves.

By right-clicking on a dependency line, you can jump to the dependency's declaration in the descriptor file (if it's a direct dependency), or to direct dependencies that depend on the vulnerable component (if any).

By right-clicking on a vulnerability line, you can create an Ignore Rule in Xray.

Creating Ignore Rules is only available when a JFrog Project or Watch is defined.

Viewing Vulnerability Details

Clicking a vulnerability in the list will open the vulnerability details view. This view contains information about the vulnerability, the vulnerable component, fixed versions, impact paths and much more.

Contextual Analysis

Requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.

Xray automatically validates some high and very high impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities need to be fixed.

Contextual Analysis data includes:

• Contextual Analysis status: Contextual Analysis results indicating if a CVE was found applicable in your application or not applicable.
• Contextual Analysis breakdown: An explanation provided by our research team as to why the CVE was found applicable or not applicable.
• Remediation: Contextual mitigation steps and options provided by our research team that assist you with remediating the issues.

Severity Icons

The icon demonstrates the top severity issue of a selected component and its transitive dependencies. The following table describes the severities from highest to lowest:

Icon	Severity
	Critical
	High
	Medium
	Low
	Unknown
	Not Applicable

The CI View

The JFrog IntelliJ IDEA Plugin allows you to view information about your builds directly from your CI system. This allows developers to keep track of the status of their code, while it is being built, tested and scanned as part of the CI pipeline, regardless of the CI provider used.

This information can be viewed inside IntelliJ IDEA, from the JFrog Panel, under the CI tab.

The following details can be made available in the CI view:

• Status of the build run (passed or failed)
• Build run start time
• Git branch and latest commit message
• Link to the CI run log
• Security information about the build artifacts and dependencies

How Does It Work?

The CI information displayed in IDEA is pulled by the JFrog IDEA Plugin directly from JFrog Artifactory. This information is stored in Artifactory as part of the build-info, which is published to Artifactory by the CI server. Read more about build-info in the Build Integration documentation page. If the CI pipeline is also configured to scan the build-info by JFrog Xray, the JFrog IDEA Plugin will pull the results of the scan from JFrog Xray and display them in the CI view as well.

Setting Up CI Integration

Set up your CI pipeline to expose information, so that it is visible in IDEA as described here.

Next, follow these steps:

1. Under Settings (Preferences) | Other Settings, click JFrog Global Configuration. configure the JFrog Platform URL and the user you created.
2. Under Settings (Preferences) | Other Settings, click JFrog CI Integration. Set your CI build name in the Build name pattern field. This is the name of the build published to Artifactory by your CI pipeline. You have the option of setting * to view all the builds published to Artifactory.
3. Click Apply and open the CI tab under the JFrog panel at the bottom of the screen and click the Refresh button.

Android Studio Support for JCEF

The JFrog IntelliJ IDEA Plugin uses JCEF (Java Chromium Embedded Framework) to create a webview component in the plugin's tool window.

Most IntelliJ-based IDEs use a boot runtime that contains JCEF by default.

Android Studio and some older versions of other IntelliJ-based IDEs use a boot runtime that doesn't contain JCEF by default, and therefore the plugin can't be loaded in them.

To solve this issue, open the "Choose Boot Runtime for the IDE" dialog where you can change the boot runtime to one that contains JCEF.

Troubleshooting

The JFrog IntelliJ IDES Plugin uses the IntelliJ IDEA log files. By default, the log level used by the plugin is INFO.

You have the option of increasing the log level to DEBUG. Here's how to do it:

1. Go to Help | Diagnostic Tools | Debug Log Settings...
2. Inside the Custom Debug Log Configuration window add the following line:

#com.jfrog.ide.idea.log.Logger

To see the Intellij IDEA log file, depends on the IDE version and OS as described here, go to Help | Show/reveal Log in Explorer/finder/Konqueror/Nautilus.

Reporting Issues

Please report issues by opening an issue on Github.

Contributions

We welcome community contribution through pull requests. To help us improve this project, please read our Contribution guide.

Release Notes

The release notes are available on Marketplace.