IntelliJ IDEA 2023.3 Help

Vulnerable dependencies

Large and complex projects usually have a number of third-party dependencies that enhance productivity by extending the functionality of common libraries and frameworks.

However, relying on third-party code raises security concerns, as it may involve the use of vulnerable dependencies in your project.

The bundled IntelliJ IDEA Package Checker plugin is powered by application security leader Checkmarx. The plugin analyzes Gradle, Maven, NPM, PyPI, and NuGet dependencies for known vulnerabilities and lets you manage such cases by getting the information about a vulnerable dependency and update it to the newly released version.

Enable the Package Checker plugin

This functionality relies on the Package Checker plugin, which is bundled and enabled in IntelliJ IDEA by default. If the relevant features aren't available, make sure that you didn't disable the plugin.

  1. Press Ctrl+Alt+S to open the IDE settings and then select Plugins.

  2. Open the Installed tab, find the Package Checker plugin, and select the checkbox next to the plugin name.

Find vulnerable dependencies

Show vulnerable dependencies in the editor

  1. Open pom.xml or build.gradle in the editor.

    The IDE highlights packages that are considered vulnerable.

  2. Place the caret at a highlighted package and press Alt+Enter to see the suggested fixes. They may suggest updating to a safe version, visiting the Checkmarx website to learn more about a particular vulnerability, or ignoring the vulnerability.

Change dependency

Analyze code to find all vulnerable dependencies

In addition, you can run an inspection to display the list of all declared and imported vulnerable dependencies in the project.

  • In the main menu, go to Code | Analyze Code and click Show Vulnerable Dependencies.

  • Alternatively, right-click a folder or a file in the Project tool window Alt+1 (for example, pom.xml or build.gradle) and select Analyze Code | Show Vulnerable Dependencies.

The result is displayed on the Vulnerable Dependencies tab of the Problems tool window (View | Tool Windows | Problems or Alt+6) .

Vulnerable Dependencies

For each vulnerability, you can see an indication of the severity. Click a specific dependency to see more information about the vulnerabilities that were found in that dependency.

Ignore vulnerabilities

Ignored vulnerabilities are added to a list in inspection settings. If required, you can share the profile with this list with other members of your team.

  1. Open pom.xml or build.gradle in the editor, place the caret at a highlighted package, and press Alt+Enter.

  2. From the list of suggestions, select Ignore vulnerable <package name and version>, and in the dialog that opens, select a reason for ignoring the dependency. Click Ignore.

    Ignoring vulnerability

To access the list with ignored vulnerabilities, press Ctrl+Alt+S to open the IDE settings and then select Editor | Inspections. Expand the Security node and click Vulnerable declared dependency. The list is located in the Options section in inspection details.

Learn how to share inspection profiles from Synchronize profiles between computers.

Find vulnerable APIs

The Vulnerable API usage inspection automatically highlights vulnerable APIs and open-source libraries right in your code. You can also run the inspection manually to get a report about all vulnerable APIs and open-source libraries in your project.

Show vulnerable APIs in the editor

  1. Hover over the detected problem in the editor.

    A popup with vulnerability details appears.

    Show vulnerable APIs in the editor
  2. Place the caret at the problem, press Alt+Enter, and select Go to file with declared dependency.

    You will be taken to the file in which the dependency is defined.

  3. Place the caret at a highlighted package and press Alt+Enter to see the suggested fixes. They may suggest updating to a safe version, visiting the Checkmarx website to learn more about a particular vulnerability, or ignoring the vulnerability.

Analyze code to find all vulnerable APIs

  1. In the main menu, go to Code | Analyze Code | Run Inspection by Name or press Ctrl+Alt+Shift+I.

  2. Type Vulnerable API usage and double-click the inspection to open the dialog with settings.

  3. Select the scope of files that you want to analyze.

    The File mask(s) option helps you narrow down the number of files that will be inspected. Specify a pattern of characters and wildcards that matches the names of files you want to analyze. Use a comma to separate multiple file masks.

  4. Click OK to run the inspection.

The result appears in the Problems tool window (View | Tool Windows | Problems or Alt+6) from which you can navigate to the file with declared vulnerable dependencies, suppress the inspection, or generate a report.

Report false positives

If you believe that a dependency identified as vulnerable is safe, you can report a false positive.

  1. Click a dependency on the Vulnerable Dependencies tab of the Problems tool window (View | Tool Windows | Problems or Alt+6) to open its description.

  2. Locate the vulnerability that you want to report and click Report false positive.

    You will see a notification with confirmation.

Report false vulnerable dependency

Configure Security inspections

You can change severity of the Security inspections, enable and disable them, and configure problem highlighting in settings.

  1. Press Ctrl+Alt+S to open the IDE settings and then select Editor | Inspections.

  2. From the options on the right, select the Security node and select the name of the inspection.

    Change the severity, scope, and highlighting as needed. Click OK to save the changes.

Last modified: 22 February 2024