Qodana 2024.1 Help

Vulnerability checker

Relying on third-party software in your projects can become a source of vulnerability. To prevent security issues arising from external packages, you can analyze your project using the vulnerability checker tool available in the Qodana for JVM, Qodana for .NET Qodana for Python, Qodana for Go, and Qodana for JS (only npm packages) linters starting from version 2023.2. This tool is designed using the Checkmarx (c) data to check Gradle, Maven, NPM and PyPI dependencies for known vulnerabilities and let you manage such cases by getting the information about vulnerable dependencies. Based on that, you can also take immediate action to address vulnerabilities by quickly migrating to a safe and stable version of the package without known vulnerability issues.

The vulnerability checker doesn't send information about packages to the JetBrains server in cleartext form. It sends only hashed names of packages. We never log or process hashes we don't have in our database. Thus, we don't analyze your proprietary or confidential packages.

This feature is available under the Ultimate Plus license and its trial version and provides the following Qodana inspections:

Inspection

Description

VulnerableLibrariesGlobal

Check the project for vulnerable dependencies

VulnerableCodeUsagesInspection

Check whether your JVM-based project uses vulnerable APIs

VulnerableApi

Check whether your .NET project uses vulnerable APIs, enabled by default

GoVulnerableCodeUsages

Check whether your Golang project uses vulnerable APIs

NpmVulnerableApiCode

Check whether your JavaScript project uses vulnerable APIs

PyVulnerableApiCode

Check whether your Python project uses vulnerable APIs

How it works

To analyze your code using the vulnerability checker, in the qodana.yaml file, enable inspections from the table above. For example, for the VulnerableLibrariesGlobal inspection it will be:

include: - name: VulnerableLibrariesGlobal

After your project is analyzed, you can update the packages containing vulnerabilities to versions where such vulnerabilities are fixed, or switch to alternative packages.

Last modified: 25 April 2024