These instructions explain how to scan source code using the static analysis plug-in after it has been installed to the Eclipse, IntelliJ IDEA, or Visual Studio integrated
development environments (IDE). In Eclipse and IntelliJ IDEA, you can scan Java projects - and in
Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).
Before you begin
By default, third-party code is not included when scanning Java and .NET. You can modify
third-party code exclusion settings by following the instructions in
Managing third-party Java and .NET exclusions.
- To include third-party code when scanning in Eclipse, IntelliJ IDEA, or Visual Studio, use one
of these methods:
- Alternately, when scanning in Eclipse, you can do this: Modify your
eclipse.ini file before you start Eclipse so that the -vmargs
section includes -DthirdParty.
- Alternately, when scanning in IntelliJ IDEA, you can do this: In the bin
directory of your IntelliJ IDEA installation, modify the idea.exe.vmoptions
file before you start IntelliJ IDEA. Add -DthirdParty to the file and then save
it.
If you are a developer of third-party code that would normally be
included in a scan, you should use the setting to include the third-party code.
Procedure
To scan source code and open assessments or reports:
- Ensure that the plug-in is installed to the IDE. During installation, if the IDE
was open, restart it.
- Select the item that you want to scan:
- In Eclipse, select the project or projects that you want to scan. To scan an entire Eclipse
workspace, select all projects.
- In IntelliJ IDEA, select the project modules that you want to scan.
- In Visual Studio, select the solutions, projects, or websites that you want to scan.
- Right-click the selection and select .
- The Login dialog box opens if you are not already logged in to the service. In the Login dialog
box, type in your service credentials: When you generate an API key in the Application Security on Cloud service, you receive a Key Id and Key Secret. Enter
these values in the ID and Secret fields. If you have
not yet generated an API key, follow the link in the dialog box for creating one. When you log in to the service, an encrypted key file is created. This token file is then
referred to by other actions when they interact with the ASoC service.
- After launching the scan, Application Security on Cloud prompts you with a dialog box to choose the application to associate with the scan. Static
analysis scans in your IDE must be associated with an existing Application Security on Cloud. application.
- In the same dialog box, use the Personal scan checkbox to indicate
whether the scan is a personal
scan.
- The My Scans view opens after the scan is submitted.
- When the scan is complete, a notification opens with links to open Scan
issues. In addition, the My
Scans view is updated to include the scan. The view lists the scan name, status, time started and
ended, and number and severity of vulnerabilities found.
- Scan issues: Select the link in the notification to open the result - or
double-click the icon in the Scan issues column in the view (in Visual
Studio, the result can also be opened using the system tray). This opens an interactive assessment
that lists all non-compliant security issues discovered during the scan, by fix group. A fix group represents
the most common node that grouped findings flow through. Typically, if a fix is implemented for a
fix group, you can achieve the greatest effect for less work. A fix group can also be considered a
logical grouping point wherein related findings can be reviewed at the same time. Note that a fix
group may not be the exact place at which a fix should be placed. Future refactoring, code
practices, and other factors might preclude using the fix group location for a fix.
In the assessment:
- Each fix group displays the recommended fix location, a link that opens the source of that fix
location, the vulnerability, and the number of occurrences of the vulnerability that will be fixed
if the source code is corrected.
- If you select the vulnerability, a description of it opens (usually with examples and
recommendations).
- If you select the Details button, the fix group opens to all findings
that will be fixed if the source code is corrected. In the detailed view, if you select the source
location, it opens in the source editor. Selecting the trace icon opens a trace that displays the
flow of data through the application.
Important: Interactive assessments (results) are not available in IntelliJ IDEA or for
certain subscription levels.
- To open non-compliant issues for any application:
Note: Non-compliant issues are those that fall outside the
policies specified for the application in
Application Security on Cloud.
- Select .
- If prompted, enter your service credentials.
- Select the application from the drop-down list in the resulting dialog box and click
OK.
Results
Important: Rescanning is not supported in integrated development environments.