Relying on third-party software in your projects can become a source of vulnerability. To prevent security issues arising from external packages, you can inspect your project using the vulnerability checker tool available in the Qodana for JVM, Qodana for .NET Qodana for Python, Qodana for Go, and Qodana for JS (only
npm packages) linters starting from version 2023.2. This tool is designed using the Checkmarx (c) data to check Gradle, Maven, NPM and PyPI dependencies for known vulnerabilities and let you manage such cases by getting the information about vulnerable dependencies. Based on that, you can also take immediate action to address vulnerabilities by quickly migrating to a safe and stable version of the package without known vulnerability issues.
The vulnerability checker doesn't send information about packages to the JetBrains server in cleartext form. It sends only hashed names of packages. We never log or process hashes we don't have in our database. Thus, we don't analyze your proprietary or confidential packages.
This feature is available under the Ultimate Plus license and its trial version and provides the following Qodana inspections:
Check the project for vulnerable dependencies
Check whether your JVM-based project uses vulnerable APIs
Check whether your .NET project uses vulnerable APIs, enabled by default
Check whether your Golang project uses vulnerable APIs
Check whether your Python project uses vulnerable APIs
How it works
To inspect your code using the vulnerability checker, in the
qodana.yaml file, enable inspections from the table above. For example, for the
VulnerableLibrariesGlobal inspection it will be:
After your project is inspected, you can update the packages containing vulnerabilities to versions where such vulnerabilities are fixed, or switch to alternative packages.