IDE Plugins

Security Reviewer provides plugins for the following Integrated Development Environment (IDE) platforms:

Visual Studio and Visual Studio Code

Security Reviewer Visual Studio Extension scans source code written in C#, VB.NET, C/C++, VB 16 and 32-bit, ASP, ASPX, JavaScript, VBScript, HTML and SQL programming languages, directly from Visual Studio. Visual Studio Code extensions works with all programming Languages supported.

Further than source code, Visual Studio plugins process all configuration files (XML, XSD, XPath, .cfg, .config, .ini, XAML, json, etc.), binaries (DLL, EXE, OCX, ActiveX) and libraries (64 .NET libraries and 52 JavaScript frameworks of the most used), finding and detects weaknesses hidden inside them, and assesses potential vulnerabilities according OWASP, PCI-DSS, WASC, CVE, CVSS and CWE-SANS international standards.

Visual Studio Code 1.39 for Windows/Mac OSx and Linux, Visual Studio 2003, 2005, 2008, 2010, 2012, 2013 plugins and Visual Studio 2015, 2017 and 2019 plugins are available.

In the Security Reviewer View you can find the Analysis results:

In Visual Studio Code it looks like:

 

At left side, you can see the Analysis Results tree list, showing all stored Analysis.

At right side, each Vulnerability Category displays the number of issues found (Results tab).

By clicking in a Vulnerability Category’s Description (for example Cross Site Scripting) all vulnerability belonging to that Category will be listed.

Double clicking on a File Name, will open the related source file and highlights the vulnerable source line.

For each Vulnerability, separated between Dead Code-Best Practices and Security issues, you can find: Line number, File Name, CWE or OWASP Vulnerability Category and Description, WASC-ID. The Tip (suggestion of how to quickly remediate the issue) is displayed on the status bar as well as the CVSS risk level (from 1 to 10).

The Tip (suggestion on how to quickly solve the issue) can be also displayed separately, by pressing icon or related Remediation tab.

A Violation Path, i.e. list the source lines tree generating the violation, can be displayed by pressing icon or related Violation Path tab.

You can change the Source Code Folder by pressing the icon.

You can export the results as Zip file, pressing the icon (Zip Results Folder).

You can import results from a Zip file, pressing the icon (UnZip Results Folder)

You can filter the results by closing Deadcode or Security View, or by Severity using All Violations, Blocker, Critical, Major, Minor, and Info buttons.

You can sort the Analysis Results tree list by Project’s Name or by Audit Date pressing icon.

You can refresh the Security Reviewer View by pressing icon.

Eclipse, Rational RTC, RSA and RAD Studio

Security Reviewer postSpy plugin for Eclipse, Rational RTC, RSA and RAD Studio plugin shares the same interface and scans source code written in JAVA, JSP, JavaScript and SQL programming languages, directly from Eclipse, IBM Rapid Application Developer (RAD), IBM Rational Team Concert (RTC), and IBM Rational Software Architect (RSA). Further than source code, PostSpy processes all configuration files (XML, XSD, XPath, .cfg, .conf, .yml, json, etc.), binaries (JAR, WAR, EAR) and frameworks (115 JAVA and 52 JavaScript frameworks of the most used), finding and detects weaknesses hidden inside them, and assesses potential vulnerabilities according OWASP, PCI-DSS, WASC, CVE, CVSS and CWE-SANS international standards.

postSpy is an Open Source project, published to github

Security Reviewer View

In the Security Reviewer view you can find the Analysis results:

Double clicking on a row, will open the related source file and highlights the vulnerable source line.

For each violation, separated between Deadcode and Security issues, you can find: File Name, Source code line number, CWE or OWASP vulnerability category and description, as well as a Tip suggesting a way to remediate. The CVSS risk level (from 1 to 10) is also displayed.

You can change the Source Code Folder by pressing the icon.

You can export the results as Zip file, pressing the icon (Zip Results Folder).

You can filter the results by closing Deadcode or Security View, or by Severity using

buttons

Fortify View

This plugin is able to import Micro Focus Fortify FPR files, containing the Static Analysis results of Fortify Analysis, for comparing or integrating with Security Reviewer’s results.

To see the issues for a particular category, select and click in List issues and a table with the issues will be shown. From here you can go to the code right-clicking a row.

NetBeans Plugin

It is a plugin for Netbeans to navigate directly from the issue to the code without leaving your IDE.

You can retrieve issues or you can run a local analysis.

JetBrains Plugin

Currently the plugin is build to work in:

IntelliJ IDEA

RubyMine

WebStorm

PhpStorm

PyCharm

AppCode

Android Studio

with any programming Language supported by Security Reviewer.

Two tasks are covered by the plugin:

  • Listing results of previously analyzed code and show issues in your IDE

  • Running a script to perform a local analysis to find issues in your local code

Software Composition Analysis IDE plugins

In the Software Composition Analysis, source code matters for scripting languages only. We support all IDE extensions described above for Software Composition Analysis of the following languages:

  • JavaScript

  • TypeScript

  • Ruby

  • Groovy

  • Rust

  • PHP

  • Shell (ksh, csh, bash, sh and others)

  • Powershell

  • Python

  • LUA

  • CoffeeScript

For other languages, Libraries/Frameworks issues are reported on IDE plugins under OWASP A9-Avoid Using Components with Known Vulnerabilities.

COPYRIGHT (C) 2014-2021 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.