Vulnerability checker
Relying on third-party software in your projects can become a source of vulnerability. To prevent security issues arising from external packages, you can analyze your project using the vulnerability checker tool available in the Qodana for JVM, Qodana for .NET Qodana for Python, Qodana for Go, and Qodana for JS (only npm
packages) linters starting from version 2023.2. This feature employs the OSV tool to check Gradle, Maven, NPM and PyPI dependencies for known vulnerabilities and let you manage such cases by getting the information about vulnerable dependencies. Based on that, you can also take immediate action to address vulnerabilities by quickly migrating to a safe and stable version of the package without known vulnerability issues.
The vulnerability checker doesn't send information about packages to the JetBrains server in a clear textual form. It sends only hashed names of packages. We never log or process hashes we don't have in our database. Thus, we don't analyze your proprietary or confidential packages.
This feature is available under the Ultimate Plus license and its trial version and provides the following Qodana inspections:
Inspection | Description |
---|---|
Check the project for vulnerable dependencies | |
Check whether your JVM-based project uses vulnerable APIs | |
| Check whether your .NET project uses vulnerable APIs, enabled by default |
Check whether your Golang project uses vulnerable APIs | |
Check whether your JavaScript project uses vulnerable APIs | |
Check whether your Python project uses vulnerable APIs |
How it works
To analyze your code using the vulnerability checker, in the qodana.yaml
file, enable inspections from the table above. For example, for the VulnerableLibrariesGlobal
inspection it will be:
After your project is analyzed, you can update the packages containing vulnerabilities to versions where such vulnerabilities are fixed, or switch to alternative packages.