Red Hat Dependency Analytics

Red Hat Dependency Analytics (RHDA) plugin gives you awareness to security concerns within your software supply chain while you build your application.

Dependency Analytics supports multiple package managers:

• Maven (mvn)
• NPM (npm)
• PNPM (pnpm)
• Yarn Berry and Classic (yarn)
• Gradle Kotlin and Groovy (gradle)
• Golang (go mod)
• Python (pip) ecosystems, and base images in Dockerfile.

In future releases, Red Hat plans to support other package managers.

NOTE: The Red Hat Dependency Analytics plugin is an online service hosted and maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the vulnerability report.

Table of Contents

• Red Hat Dependency Analytics - Table of Contents
  • Quick start
  • Configuration
  • Features
  • Know more about the Red Hat Dependency Analytics platform
  • Data and telemetry
  • Support, feedback & questions
  • License

Quick start

Prerequisites

• For Maven projects, analyzing a pom.xml file, you must have the mvn binary in your IDE's PATH environment.
• For Node projects, analyzing a package.json file, you must have one of the corresponding package manager npm, pnpm or yarn, node binaries in your IDE's PATH environment.
• For Golang projects, analyzing a go.mod file, you must have the go binary in your IDE's PATH environment. Furthermore, Golang projects can only be analyzed with IntelliJ Ultimate Edition.
• For Python projects, analyzing a requirements.txt file, you must have the python3 and pip3 binaries in your IDE's PATH environment.
• For Gradle projects, analyzing a build.gradle file or build.gradle.kts file, you must have the gradle binary in your system's PATH environment.
• For base images, analyzing a Dockerfile, you must have the syft and skopeo binaries in your IDE's PATH environment.

Procedure

1. Install IntelliJ IDEA on your workstation.
2. After the installation finishes, open the IntelliJ IDEA application.
3. From the menu, click Settings , and click Plugins.
4. Search the Marketplace for Red Hat Dependency Analytics.
5. Click the INSTALL button to install the plugin.
6. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:
   • Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency, and click Detailed Vulnerability Report.
   • Right click on a manifest file in the Project window, and click Dependency Analytics Report.

Configuration

The Red Hat Dependency Analytics plugin has some configurable parameters that allows you to customize its behavior according to your preferences.

Procedure

1. Open the IntelliJ IDEA application.

2. From the menu, click Settings , and click Tools.

3. Click Red Hat Dependency Analytics.

   

Configurable parameters

• Maven :
  Set the full path of the Maven executable, which allows Exhort to locate and run the mvn command to resolve dependencies for Maven projects.
  Path of the JAVA_HOME directory is required by the mvn executable.
  If the paths are not provided, your IDE's PATH and JAVA_HONE environments will be used to locate the executables.

• Maven Wrappers :
  preferWrapper: Configure whether to use Maven wrapper. There are three options available:
  true: Always use the wrapper regardless of Build,Execution,Deployment › Build Tools > Maven: Maven home path setting
  false: Never use the wrapper regardless of Build,Execution,Deployment › Build Tools > Maven: Maven home path setting
  fallback: Use IntelliJ's Build,Execution,Deployment › Build Tools > Maven: Maven home path setting (default behavior)

• Node :
  Set the full path of the Node executable, which allows Exhort to locate and run one of the corresponding npm, pnpm or yarn command to resolve dependencies for Node projects.
  Path of the directory containing the node executable is required by one of the corresponding npm, pnpm or yarn executable.
  If the paths are not provided, your IDE's PATH environment will be used to locate the executables.

• Golang :
  Set the full path of the Go executable, which allows Exhort to locate and run the go command to resolve dependencies for Go projects.
  If the path is not provided, your IDE's PATH environment will be used to locate the executable.
  When option Strictly match package version is selected, the resolved dependency versions will be compared to the versions specified in the manifest file, and users will be alerted if any mismatch is detected.

• Python :
  Set the full paths of the Python and the package installer for Python executables, which allows Exhort to locate and run the pip3 commands to resolve dependencies for Python projects.
  Python 2 executables python and pip can be used instead, if the Use python 2.x option is selected.
  If the paths are not provided, your IDE's PATH environment will be used to locate the executables.
  When option Strictly match package version is selected, the resolved dependency versions will be compared to the versions specified in the manifest file, and users will be alerted if any mismatch is detected.
  Python virtual environment can be applied, when selecting the Use python virtual environment option.
  If selecting option Allow alternate package version while using virtual environment, the dependency versions specified in the manifest file will be ignored, and dependency versions will be resolved dynamically instead (this feature cannot be enabled when Strictly match package version is selected).

• Gradle :
  Set the full path of the Gradle executable, which allows Exhort to locate and run the gradle command to resolve dependencies for Gradle projects.
  By not setting a path to the gradle binary, IntelliJ IDEA uses its default path environment to locate the file.

• Image :
  Set the full path of the Syft executable, which allows Exhort to locate and run the syft command to generate Software Bill of Materials for the base images.
  Optionally, set the full path of the Docker or Podman executable. Syft will attempt to find the images in the Docker or Podman daemon with the executable. Otherwise, Syft will try direct remote registry access.
  Set the full path of the Skopeo executable, which allows Exhort to locate and run the skopeo command to determine the image digests.
  If the paths are not provided, your IDE's PATH environment will be used to locate the executables.
  If a Syft configuration file is used and not at the default paths, set the full path to the configuration file in configuration.
  If an authentication file is applied for skopeo inspect, set the full path to the file in configuration.
  If platform is not specified in the Dockerfile for multi-platform images the default platform is used, as set in the configuration. Otherwise, set the full path of the Docker or Podman executable, then Exhort will use the executable to find the image platform based on the operating system and architecture of the container runtime.

• Inline Vulnerability Severity Alerts :
  You can set the vulnerability severity alert level to Error or Warning for inline notifications of detected vulnerabilities.

• Proxy Configuration :
  From IntelliJ IDEA Appearance & Behavior > System Settings > HTTP Proxy, you can configure a static proxy for all HTTP requests made by the plugin. This is useful when your environment requires going through a proxy to access external services. For example:http://proxy.example.com:8080

Features

• Component analysis
  Upon opening a manifest file, such as a pom.xml, package.json, go.mod or requirements.txt file, a scan starts the analysis process. The scan provides immediate inline feedback on detected security vulnerabilities for your application's dependencies. Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security concern. The summary has the full package name, version number, the amount of known security vulnerabilities, and the highest severity status of said vulnerabilities.

  

• Dockerfile scanning
  Upon opening a Dockerfile, a vulnerability scan starts analyzing the images within the Dockerfile. After the analysis finishes, you can view any recommendations and remediation by clicking the More actions... menu from the highlighted image name. Any recommendations for an alternative image does not replace the current image. By clicking Switch to..., you go to Red Hat's Ecosystem Catalog for the recommended image.

  
  You must have the syft and skopeo binaries installed on your workstation to use the Dockerfile scanning feature. You can specify a specific path to these binaries, and others by settings the following parameters as environment variables or system properties:

  • EXHORT_SYFT_PATH : Specify the absolute path of syft executable.
  • EXHORT_SYFT_CONFIG_PATH : Specify the absolute path to the Syft configuration file.
  • EXHORT_SKOPEO_PATH : Specify the absolute path of skopeo executable.
  • EXHORT_SKOPEO_CONFIG_PATH : Specify the absolute path to the authentication file used by the skopeo inspect command.
  • EXHORT_DOCKER_PATH : Specify the absolute path of docker executable.
  • EXHORT_PODMAN_PATH : Specify the absolute path of podman executable.
  • EXHORT_IMAGE_PLATFORM : Specify the platform used for multi-arch images.

  

• Excluding dependencies with exhortignore
  You can exclude a package from analysis by marking the package for exclusion. If you want to ignore vulnerabilities for a dependency in a pom.xml file, you must add exhortignore as a comment against the dependency, group id, artifact id, or version scopes of that particular dependency in the manifest file. For example:

  <dependency> <!--exhortignore-->
      <groupId>...</groupId>
      <artifactId>...</artifactId>
      <version>...</version>
  </dependency>

  If you want to ignore vulnerabilities for a dependency in a package.json file, you must add exhortignore as a attribute-value pair. For example:

  {
      "name": "sample",
      "version": "1.0.0",
      "description": "",
      "main": "index.js",
      "keywords": [],
      "author": "",
      "license": "ISC",
      "dependencies": {
          "dotenv": "^8.2.0",
          "express": "^4.17.1",
          "jsonwebtoken": "^8.5.1",
          "mongoose": "^5.9.18"
      },
      "exhortignore": [
          "jsonwebtoken"
      ]
  }

  If you want to ignore vulnerabilities for a dependency in a go.mod file, you must add exhortignore as a comment against the dependency in the manifest file. For example:

  require (
      golang.org/x/sys v1.6.7 // exhortignore
  )
  

  If you want to ignore vulnerabilities for a dependency in a requirements.txt file, you must add exhortignore as a comment against the dependency in the manifest file. For example:

  requests==2.28.1 # exhortignore
  

  If you want to ignore vulnerabilities for a dependency in a build.gradle file, you must add exhortignore as a comment against the dependency in the manifest file. For example:

  implementation "log4j:log4j:1.2.17" // exhortignore
  implementation group: 'log4j', name: 'log4j', version: '1.2.17' // exhortignore 
  

• Excluding developmental or test dependencies
  Red Hat Dependency Analytics does not analyze dependencies marked as dev or test, these dependencies are ignored. For example, setting test in the scope tag within a pom.xml file:

  <dependency>
      <groupId>...</groupId>
      <artifactId>...</artifactId>
      <version>...</version>
      <scope>test</scope>
  </dependency>

  For example, setting devDependencies attributte in the package.json file:

  {
      "name": "sample",
      "version": "1.0.0",
      "description": "",
      "main": "index.js",
      "keywords": [],
      "author": "",
      "license": "ISC",
      "dependencies": {
          "dotenv": "^8.2.0",
          "express": "^4.17.1",
          "jsonwebtoken": "^8.5.1",
          "mongoose": "^5.9.18"
      },
      "devDependencies": {
          "axios": "^0.19.0"
      }
  }

  For example, setting exclude attribute in the go.mod file:

  exclude golang.org/x/sys v1.6.7
  
  exclude (
      golang.org/x/sys v1.6.7
  )
  

  You can create an alternative file to requirements.txt, for example, a requirements-dev.txt or a requirements-test.txt file where you can add the development or test dependencies there.

• Red Hat Dependency Analytics report
  The Red Hat Dependency Analytics report is a temporary HTML file that exist if the Red Hat Dependency Analytics Report tab remains open. Closing the tab removes the temporary HTML file.

Know more about the Red Hat Dependency Analytics platform

The goal of this project is to significantly enhance a developer's experience by providing helpful vulnerability insights for their applications.

• GitHub Organization

Data and telemetry

The Red Hat Dependency Analytics plugin for IntellJ IDEA collects anonymous usage data and sends it to Red Hat servers to help improve our products and services. Read our privacy statement to learn more. This plugin respects the settings of the Telemetry by Red Hat plugin, which you can learn more about here.

Support, feedback & questions

The Red Hat Dependency Analytics plugin for IntelliJ IDEA in current version, supports the following IntelliJ IDEA versions:

• 2022.1
• 2022.2
• 2022.3
• 2023.1
• 2023.2
• 2023.3

There are two ways you can contact us:

• You can reach out to us at [email protected] with any questions, feedback, and general support.
• You can also file a GitHub Issue.

License

EPL 2.0, See LICENSE for more information.