IDE VulScanner Overview
This draft introduces DestinJiDee's IDE VulScanner, providing an overview of its powerful capabilities and a detailed look at the feature list within the SCA tool category.
APPSEC
7/10/20242 min read
About
At DestinJiDee we believe in enabling developers using shift left principle. Our product IDE VulScanner is a project affiliated with OWASP led by one of our directors. The product falls under the SCA tool category and enables developers to scan third-party dependencies within their favourite IDEs i.e. IntelliJ and VSCode.
How it works?
IDE VulScanner is enabled on IDE's navbar once installed from the marketplace. Once a project is loaded and scanning is initiated IDE VulScanner scans and identifies project dependencies and checks if there are any known, publicly disclosed vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2013: A9 - Using Components with Known Vulnerabilities. Under the hood, it runs one of OWASP's flagship products, Dependency Check.
Feature list
Following is the list of detailed features we offer as part of IDE VulScanner
Offerings: Available as IDE plugins on common marketplaces like Jetbrains and Microsoft, check out more
Pricing: Our core product is free and premium services are on freemium subscriptions
Report: The generated report contains the following details and is generated using velocity templates
Dependency - the file name of the dependency scanned.
CPE - any Common Platform Enumeration identifiers found.
GAV - the Maven Group, Artifact, Version (GAV).
Highest Severity - the highest severity of any associated CVEs.
CVE Count - the number of associated CVEs.
CPE Confidence - a ranking of how confident dependency-check is that the CPE was identified correctly.
Evidence Count - the quantity of data extracted from the dependency used to identify the CPE.
Analyzer support: Scans maven-based projects as of now. Work in progress to launch support for some of the key file analyzers soon like Node, Python, Ruby etc.
How IDE VulScanner is different?
The following are key differentiators when compared to some of the market SCA tools
OWASP affiliation
Free core features
Brings code scanning to earlier stages of SDLC following Shift Left principles
Trusted reports from reliable sources like CVEs, NIST
Incremental scans
Reduces risk of finding code vulnerabilities at a later stage
References
OWASP official page: https://owasp.org/www-project-ide-vulscanner/
JetBrains marketplace: https://plugins.jetbrains.com/plugin/21353-owasp-ide-vulscanner?noRedirect=true
Microsoft VSCode plugin: https://marketplace.visualstudio.com/items?itemName=DestinJiDee.owasp-idevulscanner&ssr=false#review-details
Publications: https://owasp.org/2023/10/26/owasp-ide-vulscanner