Qodana 2023.2 Help

Vulnerability checker

Relying on third-party software in your projects can become a source of vulnerability. To prevent security issues arising from external packages, you can inspect your project using the vulnerability checker tool available in the Qodana for JVM, Qodana for Python, Qodana for Go, and Qodana for JS (only npm packages) linters starting from version 2023.2. This tool is designed using the Checkmarx (c) data to check Gradle, Maven, NPM and PyPI dependencies for known vulnerabilities and let you manage such cases by getting the information about vulnerable dependencies. Based on that, you can also take immediate action to address vulnerabilities by quickly migrating to a safe and stable version of the package without known vulnerability issues.

The vulnerability checker doesn't send information about packages to the JetBrains server in cleartext form. It sends only hashed names of packages. We never log or process hashes we don't have in our database. Thus, we don't analyze your proprietary or confidential packages.

This feature is available under the Ultimate Plus license and its trial version.

How it works

To inspect your code using the vulnerability checker, in the qodana.yaml file, enable the VulnerableLibrariesGlobal inspection:

include: - name: VulnerableLibrariesGlobal

After your project is inspected, you can update the packages containing vulnerabilities to versions where such vulnerabilities are fixed, or switch to alternative packages.

Last modified: 02 November 2023