Find vulnerable and malicious dependencies

1. Open go.mod in the editor.

   The IDE highlights dependencies that are considered vulnerable.

2. Place the caret at a highlighted dependency and press AltEnter to see the suggested fixes. They may suggest updating to a safe version, visiting the OSV website to learn more about a particular vulnerability, or ignoring the vulnerability.

In addition, you can run an inspection to display the list of all declared and imported vulnerable dependencies in the project.

• In the main menu, navigate to Code | Analyze Code | Vulnerable Dependencies.

The result is displayed on the Vulnerable Dependencies tab of the Problems tool window (View | Tool Windows | Problems or Alt06) .

For each vulnerability, you can see an indication of the severity. Click a specific dependency to see more information about the vulnerabilities that were found in that dependency.

Ignored vulnerabilities are added to a list in inspection settings. If required, you can share the profile with this list with other members of your team.

1. Open go.mod in the editor, place the caret at a highlighted dependency, and press AltEnter.

2. From the list of suggestions, select Ignore vulnerable <dependency name and version>, and in the dialog that opens, select a reason for ignoring the dependency. Click Ignore.

   

To access the list with ignored vulnerabilities, press CtrlAlt0S to open the IDE settings and then select Editor | Inspections. Expand the Security node and click Vulnerable declared dependency. The list is located in the Options section in inspection details.

Learn how to share inspection profiles from Synchronize profiles between computers.

If you believe that a dependency identified as vulnerable is safe, you can report a false positive.

1. Click a dependency on the Vulnerable Dependencies tab of the Problems tool window (View | Tool Windows | Problems or Alt06) to open its description.

2. Locate the vulnerability that you want to report and click Report false positive.

   You will see a notification with confirmation.

• Open a file in which NPM or PyPI dependencies are declared.

  The IDE highlights the dependencies that are considered malicious.

It is recommended that you remove the detected dependencies. Malicious dependencies data is provided by OSV.dev.

note

This feature is only available for Git and Mercurial.

1. Press Alt00 to open the Commit tool window and click Show Commit Options .

2. Enable the Check malicious dependencies option.

You can change the severity of the Security inspections, enable and disable them, and configure problem highlighting in settings.

1. Press CtrlAlt0S to open settings and then select Editor | Inspections.

2. From the options on the right, select the Security node and select the name of the inspection.

   Change the severity, scope, and highlighting as needed. Click OK to save the changes.