Catching Vulnerabilities Instantly in Your IntelliJ IDEA Environment

This is a guest blog post from Brian Vermeer, Developer Advocate at Snyk

Developers practically live in their integrated development environment (IDE). An IDE like IntelliJ IDEA is in most cases an essential tool for developers to help make development more productive and creative.

A recent survey run by Snyk revealed that 81% of respondents believe developers should own the security responsibility of their applications. However, many developers are unsure of where to start with security.

In reality, most companies still work with a dedicated security team, which performs company-wide audits rather than integrating security responsibilities as part of the core development team.

DevSecOps: A modern approach to security

The DevSecOps approach helps development teams create code and be responsible for its behavior in production. In addition, development teams also treat security as part of their day-to-day work. Ideally, all team members should have security expertise and share responsibility for security.

To test for security during the development process, there are basic tools and tasks that developers should add to their ongoing responsibilities. During application development, developers are always looking for libraries and frameworks that can help achieve their goal. If a library can handle certain boilerplate aspects, a developer can focus on the custom business logic.

The only problem is—what happens if a dependency is included in the pom file? In many major enterprise applications, once a dependency is included in a pom file, it stays in the file forever, even if the dependency is not used anymore in the code. These unused dependencies are still available in your program and might contain exploitable vulnerabilities. Overall, whether a dependency is used or not, developers should verify whether it is safe to include in their system.

Shifting security left

It’s important that we shift security testing for vulnerable dependencies from right to left. In so doing, our testing would occur before we even commit our code to our project repository. Developers should check whether a dependency version is safe to include when it is first introduced, in addition to the checks that developers run prior to production. By scanning dependencies when first added to the codebase, we eliminate the unnecessary code reworking that otherwise might be necessary when upgrading to a newer version. Upgrading a dependency, as we all know, may require code alterations. So the fastest and most efficient approach is to avoid adding vulnerable dependencies in your projects by scanning your dependencies at the very moment you add them.

Testing your dependencies with Snyk

At Snyk we can provide you with tools to scan your project for vulnerable dependencies. We match your dependencies against our own proprietary vulnerability database, which includes all the “Common Vulnerabilities and Exposures” (CVE) list, and much more. Our security team enriches the Snyk vulnerability database with many more vulnerable dependencies that do not have associated CVE entries, but can cause just as much harm to your system.

If you like command line tools, install the Snyk CLI locally to run snyk_test from your terminal window. Use the CLI from within IntelliJ IDEA or from a separate terminal. This provides you with all the information you need about security vulnerabilities in your dependencies. But if you’d prefer a fully integrated solution into your IDE, we’ve got you covered.

The Snyk IntelliJ IDEA plugin

According to the 2018 JVM Ecosystem survey, IntelliJ IDEA is the most-used IDE in the Java community, with 45% of respondents stating that they use IntelliJ IDEA.

Snyk offers an integrated plugin that works on both the IntelliJ IDEA community and paid offerings. This plugin scans your Maven dependencies for vulnerabilities while you code. No need to use the terminal anymore.

Installing the plugin is easy. Go to Preferences > Plugins and search for “Snyk”. The Snyk Vulnerability Scanning plugin pops up from that view. Follow the instructions and you are good to go.

image1

The Snyk plugin is located as a tab in the bottom right-hand corner of your screen. Refresh your Maven dependencies to run the scan and see if you have vulnerable dependencies.

If there are vulnerabilities, click details to view the Snyk vulnerability page. This page provides more insight into the nature of the issue and displays the severity score.

image4

image5

Even more impressive is when you have a transitive dependency with a vulnerability. The plugin displays the full dependency tree step by step, including the direct dependency and the vulnerable transitive dependency.

image2

Click the vulnerability to automatically jump to the pom file dependency declaration. This can be extremely useful when your pom file has a lot of dependencies. Now you can either choose to upgrade the direct dependency or exclude the vulnerable transitive dependency.

The Snyk plugin also provides a suggested upgrade if one is available. This is shown in green. The version is not necessarily the newest version of that dependency but is the first available version that solves the specific vulnerability. When clicking on the green remediation advice, the recommended dependency tree up to the specific fixed transitive dependency is displayed.

image3

Plugins for PMD, checkstyle and findbugs help you write better code. Use the Snyk plugin to instantly see if a dependency you introduced has one or more vulnerabilities.

The Snyk plugin for IntelliJ IDEA is a powerful addition that helps you to avoid using vulnerable dependencies. With Snyk, you can write better, more secure software, without leaving your favorite IDE.

About Zlata Kalyuzhnaya

IntelliJ IDEA Marketing Manager at JetBrains. twitter: @ZlataKalyuzhnay ‏
This entry was posted in Guest Post and tagged . Bookmark the permalink.

12 Responses to Catching Vulnerabilities Instantly in Your IntelliJ IDEA Environment

  1. Gerry says:

    Unfortunately it doesn’t work with Gradle projects (yet).

  2. Dragos says:

    Any plans on supporting Gradle and npm/yarn?

  3. Mark Kennedy says:

    is it bytecode-based? source-based? both? how does it play with scala?

    • Brian Vermeer says:

      It is based on manifesto files so for this plugin, it looks at you pom file.
      Basically, the only thing we send over the line is your dependency tree.

  4. Christopher Rucinski says:

    Looking at the blog post by Snyk [1], they state that this plugin is built “on top of the JVM” and they they plan on supporting Gradle soon!

    1 – https://snyk.io/blog/intellij-plugin/

  5. Tim van der Leeuw says:

    Would be even more interesting if it would also support vulnerability checking for Node / NPM packages.

    • Brian Vermeer says:

      Hi Tim,
      We do support vulnerability checking for npm and yarn package. Only not in this particular ide plugin.
      If you would use our CLI tool or connect your repo to our system we scan you npm packages instantly. Give it a try: https://snyk.io/docs/using-snyk/

  6. Charlie Hayes says:

    It would be more intellij-like for the tool to automatically upgrade the dependencies and/or add the sub-dependency exclusion and override automatically.

    • Brian Vermeer says:

      That depends, sure we can create this and that maybe is even a good feature to add.
      On the other hand, you are the developer and only you can decide if you want to exclude a certain transitive dependency or upgrade it.

      We do however give you the option of auto fix PR if you connect your repo to our system.

Leave a Reply to Christopher Rucinski Cancel reply

Your email address will not be published. Required fields are marked *