IDE Plugins

Security Reviewer provides plugins for the following Integrated Development Environment (IDE) platforms:

Visual Studio

Security Reviewer Visual Studio Extension scans source code written in C#, VB.NET, C/C++, VB 16 and 32-bit, ASP, ASPX, JavaScript, VBScript, HTML and SQL programming languages, directly from Visual Studio Plugin works with all programming Languages supported.

Further than source code, Visual Studio plugins process all configuration files (XML, XSD, XPath, .cfg, .config, .ini, XAML, json, etc.), binaries (DLL, EXE, OCX, ActiveX) and libraries (64 .NET libraries and 52 JavaScript frameworks of the most used), finding and detects weaknesses hidden inside them, and assesses potential vulnerabilities according OWASP, PCI-DSS, WASC, CVE, CVSS and CWE-SANS international standards.

Visual Studio Code 1.39 for Windows/Mac OSx and Linux, Visual Studio 6.0 2003, 2005, 2008, 2010, 2012, 2013 Addins and Visual Studio 2015, 2017, 2019, 2022 plugins are available.

In the Security Reviewer View you can find the Analysis results:

In Visual Studio Code it looks like:

 

At left side, you can see the Analysis Results tree list, showing all stored Analysis.

At right side, each Vulnerability Category displays the number of issues found (Results tab).

By clicking in a Vulnerability Category’s Description (for example Cross Site Scripting) all vulnerability belonging to that Category will be listed.

Double clicking on a File Name, will open the related source file and highlights the vulnerable source line.

For each Vulnerability, separated between Dead Code-Best Practices and Security issues, you can find: Line number, File Name, CWE or OWASP Vulnerability Category and Description, WASC-ID. The Tip (suggestion of how to quickly remediate the issue) is displayed on the status bar as well as the CVSS risk level (from 1 to 10).

The Tip (suggestion on how to quickly solve the issue) can be also displayed separately, by pressing icon or related Remediation tab.

A Violation Path, i.e. list the source lines tree generating the violation, can be displayed by pressing icon or related Violation Path tab.

You can change the Source Code Folder by pressing the icon.

You can export the results as Zip file, pressing the icon (Zip Results Folder).

You can import results from a Zip file, pressing the icon (UnZip Results Folder)

You can filter the results by closing Deadcode or Security View, or by Severity using All Violations, Blocker, Critical, Major, Minor, and Info buttons.

You can sort the Analysis Results tree list by Project’s Name or by Audit Date pressing icon.

You can refresh the Security Reviewer View by pressing icon.

Visual Studio Code

Static Reviewer Visual Studio Code plugin is a standard Extension providing results browsing directly from inside the IDE. You can navigate through discovered vulnerabilities found by Security Reviewer Desktop, CLI, Team Reviewer, GitLab or Jenkins plugins.

This Extension provides:

  • Linking VSCode to Static Analyses results, made by Jenkins and GitLab Static Reviewer plugins.

  • An interactive interface for viewing scan results in the Visual Studio Code environment.

  • You can make changes to the code as you view the vulnerabilities in the locations indicated by the scan results without a needing to switch between applications.

  • The extension displays full paths with their intersections, rather than just the first and last elements of each vulnerability instance.

  • The extension highlights the elements where fixes can be most efficiently applied.

Eclipse, Rational RTC, RSA and RAD Studio

Security Reviewer PostSpy plugin for Eclipse, Rational RTC, RSA and RAD Studio plugin shares the same interface and scans source code written in JAVA, JSP, JavaScript and SQL programming languages, directly from Eclipse, IBM Rapid Application Developer (RAD), IBM Rational Team Concert (RTC), and IBM Rational Software Architect (RSA). Further than source code, PostSpy processes all configuration files (XML, XSD, XPath, .cfg, .conf, .yml, json, etc.), binaries (JAR, WAR, EAR) and frameworks (115 JAVA and 52 JavaScript frameworks of the most used), finding and detects weaknesses hidden inside them, and assesses potential vulnerabilities according OWASP, PCI-DSS, WASC, CVE, CVSS and CWE-SANS international standards.

PostSpy is an Open Source project, published to github

Scanning

You can scan your source code directly inside Eclipse:

It will invoke Static Reviewer Desktop both locally (requires Ststis Reviewer preinstalled) and remotely (required Team Reviewer and Static Server Plugin for Team Reviewer):

Once you analyzed your application you can have results directly in Eclipse, by using the Security Reviewer View.

Security Reviewer View

In the Security Reviewer view you can find the Analysis results:

Double clicking on a row, will open the related source file and highlights the vulnerable source line.

For each violation, separated between Deadcode and Security issues, you can find: File Name, Source code line number, CWE or OWASP vulnerability category and description, as well as a Tip suggesting a way to remediate. The CVSS risk level (from 1 to 10) is also displayed.

You can change the Source Code Folder by pressing the icon.

You can export the results as Zip file, pressing the icon (Zip Results Folder).

You can filter the results by closing Deadcode or Security View, or by Severity using

buttons

Fortify View

This plugin is able to import Micro Focus Fortify FPR files, containing the Static Analysis results of Fortify Analysis, for comparing or integrating with Security Reviewer’s results.

To see the issues for a particular category, select and click in List issues and a table with the issues will be shown. From here you can go to the code right-clicking a row.

NetBeans Plugin

It is a plugin for Netbeans to navigate directly from the issue to the code without leaving your IDE.

You can retrieve issues or you can run a local analysis.

JetBrains Plugin

Currently the plugin is build to work in:

IntelliJ IDEA

RubyMine

WebStorm

PhpStorm

PyCharm

AppCode

Android Studio

with any programming Language supported by Security Reviewer.

Two tasks are covered by the plugin:

  • Listing results of previously analyzed code and show issues in your IDE

  • Running a script to perform a local analysis to find issues in your local code

COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.