News Plugins

Ensure Greater Software Security With Package Analysis by Checkmarx in IntelliJ IDEA

Today we are happy to announce the partnership between JetBrains, a global software vendor that creates professional software development tools and advanced collaboration solutions, and Checkmarx, a global leader in developer-centric application security testing (AST) solutions.

Checkmarx SCA (Software Composition Analysis) is now integrated directly into JetBrains IntelliJ IDEA Ultimate through the Package Checker plugin. Thanks to the plugin, developers will now be provided with security information about open source packages included directly or indirectly in their code, allowing them to address security concerns during development instead of in production.

“Over five million developers around the world use IntelliJ IDEA Ultimate to rapidly create and deliver the applications their organizations need,” said Checkmarx Chief Product Officer Razi Sharir. “Including powerful application security testing right in their development environment minimizes friction with modern application development workflows and makes it easier to secure those applications before they are compiled, rather than waiting for deployment to identify vulnerabilities. Checkmarx is proud to work with JetBrains to bring our two market-leading solutions together to create a big win for the developer community.”

Said Dmitry Jemerov, Head of Product for IntelliJ IDEA: “The Java ecosystem has recently experienced several major vulnerabilities affecting extremely broadly used frameworks, including Log4J and Spring. We’re glad we can provide our users with tools that can highlight the use of vulnerable dependencies in their projects and update to a secure version with just a few keystrokes.”.

How does it work?

Starting with the recently released version 2022.1, IntelliJ IDEA Ultimate can now detect vulnerabilities in Maven or Gradle dependencies used in a project by checking them against the Checkmarx SCA Database and the National Vulnerability Database.

While the developers are writing their code, the IDE will highlight packages that are considered vulnerable. Currently, the plugin inspects for vulnerable declared and vulnerable imported (transitive) dependencies and suggests fixes where available. 

To see inspections, a developer should enable Security Inspections in Preferences / Settings | Editor | Inspections | Security.

They can also see a list of all the issues in their project in a dedicated tool window without having to open the files where they are declared. 

This list can be seen by running Code | Analyze Code | Show Vulnerable Dependencies.

Please note that currently the security checks are available inside the IDE only if the developer has a license for IntelliJ IDEA Ultimate or the All Products Pack, and this license was obtained through their JetBrains Account.

Thanks to the package analysis by Checkmarx, developers worldwide can now build more secure code right in their favorite IDE.

image description