Scribd
Upload
209 views19 pages

CxSAST-InteliJ IDE Plugin Guide v8.4.2 To v8.9.0

Uploaded by

Jesus Tarabini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
209 views19 pages

CxSAST-InteliJ IDE Plugin Guide v8.4.2 To v8.9.0

Uploaded by

Jesus Tarabini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

CxSAST IntelliJ IDE Plugin Guide

v8.4.2 to v8.9.0

This document is non-binding and for information purposes only


Contents
CXSAST INTELLIJ IDE PLUGIN OVERVIEW ...........................................................................................................................3
SETTING UP THE CXSAST INTELLIJ PLUGIN..........................................................................................................................4
RUNNING A SCAN FROM INTELLIJ ......................................................................................................................................7
RETRIEVING SCAN RESULTS IN INTELLIJ ...............................................................................................................................9
UNDERSTANDING INTELLIJ SCAN RESULTS .........................................................................................................................10
SCANS TRIGGERED FROM INTELLIJ ...................................................................................................................................15
Defining Scans as Private ....................................................................................................................................16
Defining Projects as Private ................................................................................................................................17
CONFIGURING PROJECTS AS PRIVATE................................................................................................................................18

Page 2
CxSAST IntelliJ IDE Plugin Overview
IntelliJ is a Java integrated development environment (IDE) for developing computer software.
The IDE provides certain features like code completion by analyzing the context, code
navigation where one can jump to a class or declaration in the code directly, code refactoring and
providing options to fix inconsistencies via suggestions. It also provides for integration with
build/packaging tools like grunt, gradle, and SBT and supports version control systems like GIT,
Mercurial, Perforce, and SVN. IntelliJ supports plugins through which one can add additional
functionality to the IDE.

The CxSAST IntelliJ plugin is installed in the IntelliJ IDEA development environment, and
enables:

 Uploading an IntelliJ project's code to CxSAST directly from IntelliJ.


 An interactive interface for viewing scan results in the IntelliJ environment. This
interface has several advantages over the regular CxSAST web interface:
o You can make changes to the code as you view the vulnerabilities, in the locations
indicated by the scan results, without needing to switch between applications.
o The Results pane (Graph view) displays full paths with their intersections, rather
than just the first and last elements of each vulnerability instance.
o The Results pane, Graph view highlights the elements where fixes can be most
efficiently applied.

For a list of supported environments please refer to the relevant CxSAST release notes.

Contents:

 Setting Up the CxSAST IntelliJ Plugin


 Running a Scan from IntelliJ
 Scan Results in IntelliJ
 Scans Triggered from IntelliJ

Page 3
Setting Up the CxSAST IntelliJ Plugin
The instructions below refer to local installation of the CxSAST IntelliJ Plugin. It is also possible
to make the IntelliJ plugin centrally available to organizational IDE users, so they can link to it.
Upon plugin updates, the organizational IDE users will be automatically prompted to update. For
details, search "IntelliJ idea Enterprise Plugin Repositories".

To install and configure the CxSAST IntelliJ Plugin:

Download the CxSAST IntelliJ Plugin zip archive.

In IntelliJ, go to File and click Settings.

Select Plugins and click Install plugin from disk.

Page 4
Navigate to the downloaded IntelliJ plugin ZIP file archive and click OK.

Page 5
Click OK and Restart IntelliJ.

In IntelliJ, go to File and click Settings.

From Other Settings, select CxViewer Preferences.

Page 6
Type the path to the CxSAST server in the Server URL field (for example,
http://<server_name>).

Add your CxSAST user credentials or select the "Use Current User" option (if the SSO feature is
active).

Click Apply and Test Connection.

Click OK.

Running a Scan from IntelliJ

To run a code scan from IntelliJ for a code project or one of its folders or files:

In IntelliJ, right-click the project, folder, or file, and select CxViewer > Scan.

Page 7
Select a Project Name and Preset.

Select the relevant user Team, from the Team drop-down.

Define whether the Project/Scan should be Private (not visible to others) or Public.

You can perform one of the following scan options:

 Full Scan - Run a full scan of the whole project, or of the selected folder or file

Page 8
 Incremental Scan - Run an incremental scan of only the new and modified files within a
project or folder that was previously scanned.
The project is uploaded to the CxSAST server and scanned. Scan progress appears at the bottom
of the IntelliJ window, and also in the CxSAST web interface queue.

Once the scan is complete, results open automatically.

Retrieving Scan Results in IntelliJ

To retrieve and view the latest scan results in IntelliJ:

In IntelliJ, right-click the project, folder, or file, and select CxViewer > Retrieve Results.

Select the relevant project.

The selected project's results are displayed in the CxViewer.

Page 9
The selected project's results are displayed in the CxViewer.

Understanding IntelliJ Scan Results

When you view scan results in IntelliJ, CxSAST provides an interactive interface for navigating
the results:

Page 10
In addition to the regular IntelliJ code pane (default position: upper-left), the CxViewer interface
includes four panes with different levels of information. You can drill down from a comprehensive list
all the way down to the actual code elements, by moving through the panes in the following order:

Queries (lower-left pane) - Each item in the list is a specific type of vulnerability for which CxSAST
queries the scanned code, with the number of found instances of that vulnerability. The queries are
sorted by code language and severity.

Page 11
Clicking ( ) takes you to AppSec Coach, our interactive learning platform, where you can learn
about code vulnerabilities, why they happen, and how to eliminate them. Once there, select a tutorial
and start sharpening your skills.

AppSec Coach™

AppSec Coach provides developers with a new in-context learning platform that sharpens the skills
they need to fix vulnerabilities and write secure code. This new approach makes AppSec learning an
engaging experience, more effective, with a fast learning curve. This version includes a free edition of
AppSec Coach, covering:

 3 lessons: SQL Injection (SQLi), Cross-site scripting (XSS), XML Injection (XXE)

 6 languages: Java, .Net, PHP, Node.JS, Ruby, Python

A full and paid version is expected for upcoming versions and will include 20+ lessons and additional
languages.

Clicking ( ? ) displays comprehensive information about this vulnerability type, including risk details, a
description of the cause and mechanism, recommendations for avoiding the vulnerability and source
code examples.

Select a query to view found instances in the Results pane:

Page 12
Results (lower-right pane) - Displays the found instances of the query that is selected in the Queries
pane in the following two formats:

 Graph (left tab in Results pane) - Graphical display of first and last code elements of each
found instance, with the relationships between them.

 Results (right tab in Results pane) - Tabular list of found instances and details. The
highlighted instance's code element details appear at the top. You can navigate the results
using pagination control.

Select an instance node (Graph tab) or an instance check-box (Results tab) enabling you to change
the following states:

Results State - useful for disregarding false positives or just for planning what issues to handle

 To Verify (default) – instance requires verification (i.e. authorized user)

Page 13
 Not Exploitable – instance has been confirmed as not exploitable (i.e. false positive).
Instances defined with this state are not represented in the scan summary, graph, reports or
dashboard, etc.

 Proposed Not Exploitable – instance has been proposed as not exploitable (i.e. potential
false positive). Instances defined with this state are represented in the scan summary, graph,
reports or dashboard, etc. until such a time that the state is changed to “Not Exploitable"

 Confirmed – instance has been confirmed as exploitable and requires handling

 Urgent – instance has been confirmed as exploitable and requires urgent handling

Severity (High, Medium, Low and Info) - useful for defining the priority level of the selected issue.

Assign to User - useful for planning who should handle the selected issue.

Click Comments to add a comment to an instance. This metadata is maintained for the project when
performing future scans and for instances that continue to be found.

Click Save Scan Subset for selected instances to appear in the results list as an independent result
set.

Click to obtain a URL to this results interface with the instance immediately selected.

Path (upper-right pane) - Displays the full path of code elements that constitute the vulnerability
instance that is selected in the Results pane. This path represents the full attack vector for the
vulnerability instance.

Select an instance in the Results pane (Results or Graph tab) and view its attack vector in the Path
pane.

Page 14
Select a code element in the Path pane to view it in its code context, in the Source Code pane (see
below).

Source Code (upper-left pane) - Displays the source code files.

Highlights the code line containing the element that is selected in the Path pane.

Scans Triggered from IntelliJ

Developers who work in an integrated development environment (IDE) such as CxSAST


IntelliJplugin, as part of a much larger development project managed in source control, would
sometimes prefer to scan their code before uploading it to their source control repository.

The CxSAST IntelliJ plugin allows the developer to scan the code from within the IntelliJ project.
When scanning code from the CxSAST IntelliJ plugin, the scanned coded is always the local
code, which resides in the IntelliJ project, regardless of the CxSAST project’s Location type
(Local/Shared/Source Control). This implies that projects can now contain scans of different
location types, and the location type can be viewed as a scan property.

Usually, scan results of local code have no relevance to the entire team, and we would like to
limit their visibility only to the scan owner. Furthermore, results of "interim scans". namely:
scans carried out while the code is still being processed during the work day, are likely to
adversely affect the count of daily issues, because issues "detected" through these scans may
well be resolved later on, before the code is uploaded to the source control repository at the
end of the day.

If the user chooses not to make the scan results visible to other users - in other words, to make
the scan private - the scan will only be visible to the following entities:

Page 15
 The scan's owner (the user)
 Users with CxAdmin priviliges
 Users whose location in the hierarchy is higher than that of the user
The CxSAST IntelliJ plugin provides the user with two ways to achieve this behavior:

Define the scan as private from within a public project

Define the project as private, namely: making all of the project's scans non-visible to other
users

NOTE: The operations described in this page must be carried out by a user with the appropriate
credentials in CxSAST server. To ensure you have such credentials, see Setting Up the CxSAST
IntelliJ Plugin.

Defining Scans as Private


The process of defining scans as private takes place within IntelliJ.

To define a scan as private in a new public project:

Right-click a locally stored project.

Select CxViewer > Scan.

Right-click to display the dialog box Create or Select a Project.

As no project with the same name exists in the Server, a new project is created in the server for
this scan, and you are allowed to select a preset and a team.

By default, the check box Project is private is selected. If this setting remains unchanged, all

Page 16
scans within the projects are private.

To define the scan as a private scan within a public project, clear the check box Project is
private.

Leave the default setting Scan is private.

To define a scan as private in an existing project:

Go to CxViewer > Scan.

Right-click to display the dialog box Create or Select a Project.

The scan is added to an existing project in the Server. If the project is private the scan will be
private (non-modifiable). If the project is public the only modifiable property is the default
definition of the scan as private, which can be changed by clearing the check box Scan is
private.

Defining Projects as Private


Take from above.

To define a project as private:

Making a project private means that all of the projec's scan results are not visible to other users
and will only be visible to the following entities:

The scan's owner (the user)

Users with Server Manager privileges

Users whose location in the hierarchy is higher than that of the user.

Page 17
These users can only read or delete private projects defined in lower hierarchy levels, and they
cannot edit or modify these projects.

Configuring Projects as Private


Developers who would like to create a project that would be used as a draft, and whose scan
results are never shown to other users, can make a one-time decision to make the project
private, that is: defining that all of the project's scans are not visible to other users.

Defining a project as private can be carried out only when creating a new project from an IDE.
This example refers to the relevant environment.

To define the project as private:

Right-click the project's name.

Click CxViewer > Scan. (This will always create a new Cx project)

In the Upload Source dialog box that appears now, clear the check box Make project scan
results visible to other users.

Making a project private means that all of the projec's scan results are not visible to other users
and will only be visible to the following entities:

Page 18
The scan's owner (the user)

 Users with Server Manager privileges


 Users whose location in the hierarchy is higher than that of the user.
 These users can only read or delete private projects defined in lower hierarchy levels,
and they cannot edit or modify these projects.

Page 19

You might also like