IntelliJ IDEA 2023.1 Help

Package analysis

Larger and more complex projects usually have number of third-party dependencies that help developing productivity, extending the common libraries and frameworks functionality.

However, relying on the third-party code arises the security issue whether or not you use vulnerable dependencies in your project.

The bundled IntelliJ IDEA Package Checker plugin that is powered by Checkmarx checks Gradle, Maven, NPM and PyPI dependencies for known vulnerabilities and lets you manage such cases by getting the information about a vulnerable dependency and update it to the newly released version.

While you are writing your code in the editor, the IDE will highlight packages that are considered vulnerable. The plugin inspects for vulnerable declared and vulnerable imported (transitive) dependencies and suggests fixes where available.

Change dependency

In addition, you can run an inspection to display the list of all vulnerable dependencies in the project.

Show vulnerable dependencies

  1. From the main menu, select Code | Analyze Code.

  2. In the list of options, select Show vulnerable dependencies.

    The result is displayed in the Dependency Checker tool window.

    Dependency Checker

    You can check the information about the listed vulnerable dependencies and update them to suggested versions.

You can change the severity of the inspection and make it "error" instead of "warning".

Change the inspection severity

  1. Press Ctrl+Alt+S to open the IDE settings and select Editor | Inspections.

  2. From the options on the right, select the Security node and select the name of the inspection.

    Security inspections

    Change the severity, scope, and highlighting as needed. Click OK to save the changes.

Last modified: 31 January 2023