IntelliJ IDEA 2023.2 Help

Vulnerable dependencies

Larger and more complex projects usually have number of third-party dependencies that help develop productivity, extending the common libraries and frameworks functionality.

However, relying on the third-party code arises the security issue whether you use vulnerable dependencies in your project.

The bundled IntelliJ IDEA Package Checker plugin that is powered by Checkmarx checks Gradle, Maven, NPM and PyPI dependencies for known vulnerabilities and lets you manage such cases by getting the information about a vulnerable dependency and update it to the newly released version.

Find vulnerable dependencies in the editor

  1. Open the necessary file, for example, pom.xml or build.gradle, in the editor.

    The IDE highlights packages that are considered vulnerable.

  2. Place the caret at a highlighted package and press Alt+Enter to see the suggested fixes. They may suggest updating to a safe version or visiting the Checkmarx website to learn more about a particular vulnerability.

Change dependency

Change the inspection severity

You can change the severity of the inspection and make it, for example, "error" instead of "warning".

  1. Press Control+Alt+S to open the IDE settings and then select Editor | Inspections.

  2. From the options on the right, select the Security node and select the name of the inspection.

    Change the severity, scope, and highlighting as needed. Click OK to save the changes.

Analyze code to find all vulnerable dependencies

In addition, you can run an inspection to display the list of all (declared and imported) vulnerable dependencies in the project.

  • Go to Code | Analyze Code and click Show Vulnerable Dependencies.

  • Alternatively, right-click a file in the Project tool window (for example, pom.xml or build.gradle) and select Analyze Code | Show Vulnerable Dependencies.

The result is displayed on the Vulnerable Dependencies tab of the Problems tool window (View | Tool Windows | Problems or Alt+6) .

Vulnerable Dependencies

For each vulnerability, you can see an indication of the severity. Click a specific dependency to see more information about the vulnerabilities that were found in that dependency.

Report false positives

If you believe that a dependency identified as vulnerable is safe, you can report a false positive.

  1. Click the required dependency on the Vulnerable Dependencies tab of the Problems tool window to open its description.

  2. Locate the vulnerability that you want to report and click Report false positive.

    You will see a notification with confirmation.

Report false vulnerable dependency
Last modified: 07 September 2023