Skip to main content

SCA Scan for JetBrains

Veracode SCA Scan for JetBrains is a plugin for the IntelliJ IDEA and PyCharm IDEs that integrates Veracode Software Composition Analysis (SCA) into your Software Development Lifecycle (SDLC). The plugin performs SCA agent-based scans of your project to detect vulnerabilities in open-source libraries and the risk level of third-party licenses. For vulnerabilities, it also provides guidance for fixing security issues from within your IDE.

For information on using Veracode Greenlight in IntelliJ IDEA, see Veracode Greenlight for IntelliJ.

Supported IDEs

  • IntelliJ 2022.2.2 or greater
  • PyCharm 2022.1 or greater

Supported languages and frameworks

See Agent-Based Scan Language Support Matrix.

Prerequisites

Before you can install and use Veracode SCA Scan for JetBrains, you must have:

  • A human user account with the Security Lead, Workspace Administrator, Workspace Editor, or Submitter role.
  • Stored your API credentials in an API credentials file. The plugin uses these credentials to authenticate with Veracode, not the SCA agent token.
  • Obtained a Veracode SCA subscription.
  • Ensured that the SCA workspace My Workspace has an available project slot. The plugin can only use My Workspace.
  • Added your project to a Git-based repository, or configured a source code management (SCM) environment variable, such as SRCCLR_NO_GIT=1.
  • Installed a supported IDE.
  • Installed a supported package manager.
  • If you use a proxy to access Veracode, ensure you have configured a proxy in your IDE. You cannot configure a proxy in the Veracode plugin. For more information, see the docs for IntelliJ IDEA or PyCharm.

Install the plugin

You install the plugin from the JetBrains Marketplace.

note

You can only install the plugin on one machine. If you install it on multiple machines, it might fail to authenticate with Veracode.

To complete this task:

  1. Go to the JetBrains Marketplace.
  2. Search for veracode.
  3. Select Veracode SCA Scan for JetBrains.
  4. Select Install and follow the on-screen instructions.
  5. Restart your IDE.
  6. Follow the on-screen instructions to authenticate with Veracode and install a local SCA agent. This SCA agent is specific to the plugin and does not affect any other local SCA agents.

By default, the plugin detects your API credentials file and authenticates with Veracode to confirm your credentials are valid. If you added the credentials file after installing the plugin and the SCA agent, click Test Authentication to confirm your API credentials are valid. If your API credentials are invalid or expired, you can generate new credentials.

Scan your project

You use the plugin to analyze the security risk of all open-source libraries and licenses in your project. The scan results are only available in the IDE and from a command prompt. You cannot view them in the Veracode Platform.

To complete this task:

  1. Open a supported project in your IDE.
  2. On the left menu bar, select Veracode SCA Scan sca-scan-plugin-icon.png.
  3. In the Veracode SCA Scan window, select Scan Project and wait for the scan to complete.
  4. Review the results on the Vulnerabilities and Licenses tabs.

Review vulnerabilities

You can review the discovered vulnerabilities for all open-source libraries in your project to see detailed information about the impacted libraries, the vulnerability risk level, and guidance for fixing each vulnerability.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In your IDE, select Veracode SCA Scan sca-scan-plugin-icon.png.

  2. Select the Vulnerabilities tab. In the Vulnerable dependencies pane, the libraries with the most and highest-risk vulnerabilities are at the top of the list.

  3. To see the total number of detected vulnerabilities categorized by risk level, and the scan completion date, select Scan Summary.

  4. To filter the list of vulnerable dependencies, select one or more severities from the Severity dropdown menu. The severity indicates the risk level of a vulnerability.

  5. To only show vulnerable dependencies that your project uses directly, select Direct Only. By default, the Vulnerable dependencies pane lists both direct and transitive (indirect) libraries. The following icons indicate the library usage:

    IconDescription
    veracode-usage-direct.svgThe library is a direct dependency that your project uses directly. Your project configuration file, such as package.json in an NPM project or pom.xml in a Maven project, has a reference to this library. To fix a vulnerability in a direct dependency, update the library version in the project configuration file and rebuild the project.
    veracode-usage-transitive.svgThe library is a transitive dependency that your project uses indirectly through another dependency. For example, if your project configuration file has a reference to a direct library and that library has a dependency on a library not referenced in the configuration file, your project indirectly depends on that other library. If the transitive library has a vulnerability, your project is vulnerable. To fix a vulnerability in a transitive library, add a new direct reference in your project configuration file to a safe version of the library. To check if the new dependency causes any errors, such as breaking the build or showing unexpected results, rebuild and test the project.

  6. In the Vulnerable dependencies pane, select a library. The vulnerabilities for the selected library appear in the Vulnerabilities in pane.

  7. In the Vulnerabilities in pane, select a vulnerability. The following information about the selected vulnerability appears in the right pane:

  8. To view additional details about the selected library, select Dependency details. The right pane shows the latest version available, the known safe version, whether it has vulnerable methods, and a link for additional information in the Veracode Vulnerability Database.

  9. After you fix a vulnerability, select Scan Project to rescan the project and confirm that the affected library no longer has that vulnerability.

    For example, if a library in an NPM project has a vulnerability, and you update the library in the package.json file to a safe version, select Scan Project to confirm that the vulnerability no longer appears in the list of vulnerable dependencies.

Review open-source licenses

You can review a list of all open-source licenses, the libraries that use these licenses, and the license risk level. Your organization uses this information when deciding whether it needs to change a license to a safe version.

Before you begin:

Ensure you have scanned your project.

To complete this task:

  1. In your IDE, select Veracode SCA Scan sca-scan-plugin-icon.png.
  2. Select the Licenses tab.
  3. Scroll through the list of detected licenses to see the names, versions, and license risk. The licenses with the highest risk level appear at the top of the list.
  4. Expand a license to see the libraries that use it.