Table of Contents
- About this Plugin
- Supported Packages
- Getting Started
- Using the Plugin
- Android Studio Support for JCEF
- Troubleshooting
- Reporting Issues
- Contributions
- Release Notes
About this Plugin
The plugin allows developers to find and fix security vulnerabilities in their projects and to see valuable information about the status of their code by continuously scanning it locally with JFrog Xray.
What security capabilities do we provide?
Software Composition Analysis (SCA)
Scan your project dependencies for security issues.
CVE Research and Enrichment
For selected security issues, get leverage-enhanced CVE data that is provided by our JFrog Security Research team. Prioritize the CVEs based on:
- JFrog Severity: The severity given by the JFrog Security Research team after the manual analysis of the CVE by the team. CVEs with the highest JFrog security severity are the most likely to be used by real-world attackers. This means that you should put effort into fixing them as soon as possible.
- Research Summary: The summary that is based on JFrog's security analysis of the security issue provides detailed technical information on the specific conditions for the CVE to be applicable.
- Remediation: Detailed fix and mitigation options for the CVEs
You can learn more about enriched CVEs here.
Check out what our research team is up to and stay updated on newly discovered issues by clicking on this link: https://research.jfrog.com
Advanced Scans
Requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.
With advanced Contextual Analysis, understand the applicability of CVEs in your application and utilize JFrog Security scanners to analyze the way you use 3rd party packages in your projects. Automatically validate some high-impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and reduce false positives and vulnerability noise with smart CVE analysis.
To learn more, see here.
Additional Perks
- Security issues are easily visible inline.
- The results show issues with context, impact, and remediation.
- View all security issues in one place, in the JFrog tab.
- For Security issues with an available fixed version, you can upgrade to the fixed version within the plugin.
- Track the status of the code while it is being built, tested, and scanned on the CI server.
In addition to IntelliJ IDEA, the plugin also supports the following IDEs:
- WebStorm
- PyCharm
- Android Studio
- GoLand
Supported Packages
Features | Go | Maven | Gradle Groovy | Gradle Kotlin | npm | Yarn v1 | Python |
---|---|---|---|---|---|---|---|
SCA | |||||||
CVE Research and Enrichment | |||||||
Upgrade vulnerable dependencies to fixed versions | |||||||
Contextual Analysis |
Getting Started
- Install the JFrog IntelliJ IDEA Plugin via the Plugins tab in the IDE settings, or in JetBrains Marketplace.
- Connect the plugin to your JFrog environment.
- Start using the plugin.
Connecting to Your JFrog Environment
Set Up a FREE JFrog Environment in the Cloud
Need a FREE JFrog environment in the Cloud, so that JFrog IntelliJ IDEA Plugin can connect to it? Just run one of the following commands in your terminal. The commands will do the following:
- Install JFrog CLI on your machine.
- Create a FREE JFrog environment in the Cloud for you.
- Configure IntelliJ IDEA to connect to your new environment.
MacOS and Linux using cURL
curl -fL https://getcli.jfrog.io?setup | sh
Windows using PowerShell
powershell "Start-Process -Wait -Verb RunAs powershell '-NoProfile iwr https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/[RELEASE]/jfrog-cli-windows-amd64/jf.exe -OutFile $env:SYSTEMROOT\system32\jf.exe'" ; jf setup
Connect the Plugin to an Existing JFrog Environment
You can connect the plugin to your JFrog environment:
In the IDE Settings
Once the plugin is successfully installed, connect the plugin to your instance of the JFrog Platform:- If your JFrog Platform instance is behind an HTTP proxy, configure the proxy settings as described here. Manual proxy configuration is supported since version 1.3.0 of the JFrog IntelliJ IDEA Plugin. Auto-detect proxy settings is supported since version 1.7.0.
- Under Settings (Preferences) | Other Settings, click JFrog Global Configuration.
- Set your JFrog Platform URL and login credentials.
- Test your connection to Xray using the Test Connection button.
Using Environment Variables
The plugin also supports connecting to your JFrog environment using environment variables:- Under Settings (Preferences) | Other Settings, click JFrog Global Configuration.
- Mark Load connection details from environment variables.
You may provide basic auth credentials or access token as follows:
Note: For security reasons, it is recommended to unset the environment variables after launching the IDE.
JFROG_IDE_PLATFORM_URL
- JFrog Platform URLJFROG_IDE_USERNAME
- JFrog Platform usernameJFROG_IDE_PASSWORD
- JFrog Platform passwordJFROG_IDE_ACCESS_TOKEN
- JFrog Platform access token
Notes:
- If your JFrog Platform instance uses a domain with a self-signed certificate, add the certificate to IDEA as described here.
- From JFrog Xray version 1.9 to 2.x, IntelliJ IDEA users connecting to Xray from IntelliJ are required to be granted the βView Componentsβ action in Xray.
- From JFrog Xray version 3.x, as part of the JFrog Platform, IntelliJ IDEA users connecting to Xray from IntelliJ require βReadβ permission. For more information, see here.
Apply Xray Policies
You can configure the JFrog IntelliJ IDEA Plugin to use the security policies you create in Xray. Policies enable you to create a set of rules, in which each rule defines security criteria, with a corresponding set of automatic actions according to your needs. Policies are enforced when applying them to Watches.
If you'd like to use a JFrog Project that is associated with the policy, follow these steps:
- Create a JFrog Project, or obtain the relevant JFrog Project key.
- Create a Policy on JFrog Xray.
- Create a Watch on JFrog Xray and assign your Policy and Project as resources to it.
- Configure your Project key in the plugin settings: under Settings (Preferences) | Other Settings, click JFrog Global Configuration and go to the Settings tab.
If however your policies are referenced through Xray Watches, follow these steps instead:
- Create one or more Watches on JFrog Xray.
- Configure your Watches in the plugin settings: under Settings (Preferences) | Other Settings, click JFrog Global Configuration and go to the Settings tab.
Using the Plugin
After the JFrog Plugin is installed, a new JFrog panel is added at the bottom of the screen. Opening the JFrog panel displays two views:
- The Local view displays information about the local code as it is being developed in the IDE. JFrog Xray continuously scans the project's dependencies and source code locally. The information is displayed in the Local view.
- The CI view allows the tracking of the code as it is built, tested and scanned by the CI server. It displays information about the status of the build and includes a link to the build log on the CI server.
The Local View
The JFrog IntelliJ IDEA Plugin continuously scans your project's dependencies with JFrog Xray and displays this information under the Local view. It allows developers to view vulnerability information about their dependencies and source code in their IDE. With this information, a developer can make an informed decision on whether to use a component or not before it gets entrenched into the organizationβs product.
Scanning a Project
Scan your project by clicking the Run Scan button. After the scan is done, a list of vulnerable files will appear.
Each descriptor file (like pom.xml in Maven, go.mod in Go, etc.) in the list contains vulnerable dependencies, and each dependency contains the vulnerabilities themselves.
By right-clicking on a dependency line, you can jump to the dependency's declaration in the descriptor file (if it's a direct dependency), or to direct dependencies that depend on the vulnerable component (if any).
By right-clicking on a vulnerability line, you can create an Ignore Rule in Xray.
Creating Ignore Rules is only available when a JFrog Project or Watch is defined.
Viewing Vulnerability Details
Clicking a vulnerability in the list will open the vulnerability details view. This view contains information about the vulnerability, the vulnerable component, fixed versions, impact paths and much more.
Contextual Analysis
Requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.
Xray automatically validates some high and very high impact vulnerabilities, such as vulnerabilities that have prerequisites for exploitations, and provides contextual analysis information for these vulnerabilities, to assist you in figuring out which vulnerabilities need to be fixed.
Contextual Analysis data includes:
- Contextual Analysis status: Contextual Analysis results indicating if a CVE was found applicable in your application or not applicable.
- Contextual Analysis breakdown: An explanation provided by our research team as to why the CVE was found applicable or not applicable.
- Remediation: Contextual mitigation steps and options provided by our research team that assist you with remediating the issues.
Severity Icons
The icon demonstrates the top severity issue of a selected component and its transitive dependencies. The following table describes the severities from highest to lowest:
Icon | Severity |
---|---|
Critical | |
High | |
Medium | |
Low | |
Unknown | |
Not Applicable |
The CI View
The JFrog IntelliJ IDEA Plugin allows you to view information about your builds directly from your CI system. This allows developers to keep track of the status of their code, while it is being built, tested and scanned as part of the CI pipeline, regardless of the CI provider used.
This information can be viewed inside IntelliJ IDEA, from the JFrog Panel, under the CI tab.
The following details can be made available in the CI view:
- Status of the build run (passed or failed)
- Build run start time
- Git branch and latest commit message
- Link to the CI run log
- Security information about the build artifacts and dependencies
How Does It Work?
The CI information displayed in IDEA is pulled by the JFrog IDEA Plugin directly from JFrog Artifactory. This information is stored in Artifactory as part of the build-info, which is published to Artifactory by the CI server. Read more about build-info in the Build Integration documentation page. If the CI pipeline is also configured to scan the build-info by JFrog Xray, the JFrog IDEA Plugin will pull the results of the scan from JFrog Xray and display them in the CI view as well.
Setting Up CI Integration
Set up your CI pipeline to expose information, so that it is visible in IDEA as described here.
Next, follow these steps:
- Under Settings (Preferences) | Other Settings, click JFrog Global Configuration. configure the JFrog Platform URL and the user you created.
- Under Settings (Preferences) | Other Settings, click JFrog CI Integration. Set your CI build name in the Build name pattern field. This is the name of the build published to Artifactory by your CI pipeline. You have the option of setting * to view all the builds published to Artifactory.
- Click Apply and open the CI tab under the JFrog panel at the bottom of the screen and click the Refresh button.
Android Studio Support for JCEF
The JFrog IntelliJ IDEA Plugin uses JCEF (Java Chromium Embedded Framework) to create a webview component in the plugin's tool window.
Most IntelliJ-based IDEs use a boot runtime that contains JCEF by default.
Android Studio and some older versions of other IntelliJ-based IDEs use a boot runtime that doesn't contain JCEF by default, and therefore the plugin can't be loaded in them.
To solve this issue, open the "Choose Boot Runtime for the IDE" dialog where you can change the boot runtime to one that contains JCEF.
Troubleshooting
The JFrog IntelliJ IDES Plugin uses the IntelliJ IDEA log files. By default, the log level used by the plugin is INFO.
You have the option of increasing the log level to DEBUG. Here's how to do it:
- Go to Help | Diagnostic Tools | Debug Log Settings...
- Inside the Custom Debug Log Configuration window add the following line:
#com.jfrog.ide.idea.log.Logger
To see the Intellij IDEA log file, depends on the IDE version and OS as described here, go to Help | Show/reveal Log in Explorer/finder/Konqueror/Nautilus.
Reporting Issues
Please report issues by opening an issue on Github.
Contributions
We welcome community contribution through pull requests. To help us improve this project, please read our Contribution guide.
Release Notes
The release notes are available on Marketplace.