Red Hat Dependency Analytics (RHDA) plugin gives you awareness to security concerns within your software supply chain while you build your application. The Dependency Analytics plugin uses the Snyk REST API to query Snyk's Vulnerability Database for the most up-to-date vulnerability information available. Snyk uses industry-leading security intelligence by pulling from many data sources to give you exact vulnerability information.
NOTE:
The Red Hat Dependency Analytics plugin is an online service hosted and maintained by Red Hat.
Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the
vulnerability report.
IMPORTANT:
Currently, Dependency Analytics only supports projects that use Maven (mvn
), Node (npm
), Golang (go mod
) and
Python (pip
) ecosystems.
In future releases, Red Hat plans to support other programming languages.
- Quick start
- Configuration
- Features
- Know more about the Red Hat Dependency Analytics platform
- Data and telemetry
- Support, feedback & questions
- License
Prerequisites
- For Maven projects, analyzing a
pom.xml
file, you must have themvn
binary in your IDE'sPATH
environment. - For Node projects, analyzing a
package.json
file, you must have thenpm
andnode
binaries in your IDE'sPATH
environment. - For Golang projects, analyzing a
go.mod
file, you must have thego
binary in your IDE'sPATH
environment. - For Python projects, analyzing a
requirements.txt
file, you must have thepython3
andpip3
binaries in your IDE'sPATH
environment.
Procedure
- Install IntelliJ IDEA on your workstation.
- After the installation finishes, open the IntelliJ IDEA application.
- From the menu, click Settings , and click Plugins.
- Search the Marketplace for Red Hat Dependency Analytics.
- Click the INSTALL button to install the plugin.
- To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of
the following:
- Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency, and click Detailed Vulnerability Report.
- Right click on a manifest file in the Project window, and click Dependency Analytics Report.
- (OPTIONAL) You can link your Snyk account to Dependency Analytics by doing the following:
- Log into your Snyk account.
- On the account landing page, you can find your Snyk Token, copy the token.
- Set the Snyk token as the value of your IDE's
EXHORT_SNYK_TOKEN
environment. - After adding your Snyk token, the vulnerability report gives you detailed information about security vulnerabilities unique to Snyk, and vulnerabilities that have publicly known exploits.
The Red Hat Dependency Analytics plugin has some configurable parameters that allows you to customize its behavior according to your preferences.
Procedure
-
Open the IntelliJ IDEA application.
-
From the menu, click Settings , and click Tools.
-
Click Red Hat Dependency Analytics.
Configurable parameters
-
Maven :
Set the full path of the Maven executable, which allows Exhort to locate and execute themvn
command to resolve dependencies for Maven projects. Path of theJAVA_HOME
directory is required by themvn
executable. If the paths are not provided, your IDE'sPATH
andJAVA_HONE
environments will be used to locate the executables. -
Node :
Set the full path of the Node executable, which allows Exhort to locate and execute thenpm
command to resolve dependencies for Node projects. Path of the directory containing thenode
executable is required by thenpm
executable. If the paths are not provided, your IDE'sPATH
environment will be used to locate the executables. -
Golang :
Set the full path of the Go executable, which allows Exhort to locate and execute thego
command to resolve dependencies for Go projects. If the path is not provided, your IDE'sPATH
environment will be used to locate the executable. When optionStrictly match package version
is selected, the resolved dependency versions will be compared to the versions specified in the manifest file, and users will be alerted if any mismatch is detected. -
Python :
Set the full paths of the Python and the package installer for Python executables, which allows Exhort to locate and execute thepip3
commands to resolve dependencies for Python projects. Python 2 executablespython
andpip
can be used instead, if theUse python 2.x
option is selected. If the paths are not provided, your IDE'sPATH
environment will be used to locate the executables. When optionStrictly match package version
is selected, the resolved dependency versions will be compared to the versions specified in the manifest file, and users will be alerted if any mismatch is detected. Python virtual environment can be applied, when selecting theUse python virtual environment
option. If selecting optionAllow alternate package version
while using virtual environment, the dependency versions specified in the manifest file will be ignored, and dependency versions will be resolved dynamically instead (this feature cannot be enabled whenStrictly match package version
is selected). -
Exhort Snyk Token :
The Snyk token allows Exhort to authenticate with the Snyk Vulnerability Database. If a Snyk token is not provided, Snyk vulnerability information is not displayed.
If you need a new Snyk token, you can generate a new token here.
-
Component analysis
Upon opening a manifest file, such as apom.xml
,package.json
,go.mod
orrequirements.txt
file, a scan starts the analysis process. The scan provides immediate inline feedback on detected security vulnerabilities for your application's dependencies. Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security concern. The summary has the full package name, version number, the amount of known security vulnerabilities, and the highest severity status of said vulnerabilities. -
Excluding dependencies with
exhortignore
You can exclude a package from analysis by marking the package for exclusion. If you wish to ignore vulnerabilities for a dependency in apom.xml
file, you must addexhortignore
as a comment against the dependency, group id, artifact id, or version scopes of that particular dependency in the manifest file. For example:<dependency> <!--exhortignore--> <groupId>...</groupId> <artifactId>...</artifactId> <version>...</version> </dependency>
If you wish to ignore vulnerabilities for a dependency in a
package.json
file, you must addexhortignore
as a attribute-value pair. For example:{ "name": "sample", "version": "1.0.0", "description": "", "main": "index.js", "keywords": [], "author": "", "license": "ISC", "dependencies": { "dotenv": "^8.2.0", "express": "^4.17.1", "jsonwebtoken": "^8.5.1", "mongoose": "^5.9.18" }, "exhortignore": [ "jsonwebtoken" ] }
If you wish to ignore vulnerabilities for a dependency in a
go.mod
file, you must addexhortignore
as a comment against the dependency in the manifest file. For example:require ( golang.org/x/sys v1.6.7 // exhortignore )
If you wish to ignore vulnerabilities for a dependency in a
requirements.txt
file, you must addexhortignore
as a comment against the dependency in the manifest file. For example:requests==2.28.1 # exhortignore
-
Excluding developmental or test dependencies
Red Hat Dependency Analytics does not analyze dependencies marked asdev
ortest
, these dependencies are ignored. For example, settingtest
in thescope
tag within apom.xml
file:<dependency> <groupId>...</groupId> <artifactId>...</artifactId> <version>...</version> <scope>test</scope> </dependency>
For example, setting
devDependencies
attributte in thepackage.json
file:{ "name": "sample", "version": "1.0.0", "description": "", "main": "index.js", "keywords": [], "author": "", "license": "ISC", "dependencies": { "dotenv": "^8.2.0", "express": "^4.17.1", "jsonwebtoken": "^8.5.1", "mongoose": "^5.9.18" }, "devDependencies": { "axios": "^0.19.0" } }
For example, setting
exclude
attribute in thego.mod
file:exclude golang.org/x/sys v1.6.7 exclude ( golang.org/x/sys v1.6.7 )
You can create an alternative file to
requirements.txt
, for example, arequirements-dev.txt
or arequirements-test.txt
file where you can add the development or test dependencies there. -
Red Hat Dependency Analytics report
The Red Hat Dependency Analytics report is a temporary HTML file that exist if the Red Hat Dependency Analytics Report tab remains open. Closing the tab removes the temporary HTML file.
The goal of this project is to significantly enhance a developer's experience by providing helpful vulnerability insights for their applications.
The Red Hat Dependency Analytics plugin for IntellJ IDEA collects anonymous usage data and sends it to
Red Hat servers to help improve our products and services.
Read our privacy statement to learn more.
This plugin respects the settings of the Telemetry by Red Hat
plugin, which you can learn more
about here.
There are two ways you can contact us:
- You can reach out to us at
[email protected]
with any questions, feedback, and general support. - You can also file a GitHub Issue.
EPL 2.0, See LICENSE for more information.