Page tree
Skip to end of metadata
Go to start of metadata

A plugin for PhpStorm and Intellij IDEA using the Jetbrains PHP plugin. It integrates many features of the RIPS web interface directly into the IDE, such as starting new scans and viewing analysis results. It offers additional features to navigate in the source code for a better user experience when working on security bugs.

You can find out more about our PhpStorm plugin in our blog post.

Requirements

This plugin can only be used in combination with a RIPS SaaS account or a local RIPS installation (on-premises).

For PhpStorm and IntelliJ requirements please refer to the download section.

API Compatibility

PluginAPI
1.3>= 2.11.1

Note: On-Premises customers should update RIPS to run the latest and compatible API version.

Download

Use the table below or get the plugin directly via the JetBrains plugin repository: http://plugins.jetbrains.com/plugin/10447-rips-security-analysis.

VersionPhpStormIntelliJ PHP PluginLink
1.3.1>= 2017.1>= 162.xJetBrains | RIPS

Manual Installation

  1. Obtain the RIPS plugin file from the PhpStorm plugin repository, our file download or install it directly in your IDE (File → Settings → Plugins → Browse repositories...).
  2. In your IDE go to File → Settings → Plugins → Install plugin from disk.
  3. Browse to the location of the downloaded plugin file (.jar) and select it.
  4. Restart the IDE and the installation is complete.

Usage

Configuration

After installing the plugin, go to File → Settings → Tools → RIPS Project Settings and insert the credentials of your RIPS account.

Note: Each PhpStorm user within your organization requires an individual RIPS account. Multiple IDE installations cannot connect to the same RIPS user account.


By default the Base URL is https://api-2.ripstech.com/ and usually you don't need to make any changes to this. If you acquired the On-Premises version, you will need to use the address of your installations' of RIPS API. For information about the RIPS local installation see RIPS Installer Tool. Your connection to the API will be tested by pressing Check. A working connection is required for this plugin to work.

If you opt-in to the option Show negatively reviewed issues, issues which are flagged as Fixed, Not exploitable, Not an issue or Duplicate will be downloaded by the plugin. Usually, our recommendation is to keep this option inactive for better results. You can check your credentials and the connection to the API by clicking the check button.

Project Settings

OptionDescription
UsernameUsername of the RIPS account.
PasswordPassword of the RIPS account.
Base URLURL of the RIPS API that should be used for scanning. Our SaaS API is available at https://api-2.ripstech.com. This API also works for trial accounts.
Highlight issues in editorHighlight the sink of issues based on their severity in the IDE.
Show scan notificationsDisplay notifications about the scan status.

Proxy Settings

The plugin is using the settings from your IDE. This can be deactivated by adding the API URL to the No proxy for: field in the proxy settings window. These changes will be applied after a new login in the plugin configuration window.

Plugin Tool Window

The Plugin Tool Window is required for most operations of the plugin. To open it either select View → Tool Windows → RIPS or hover your mouse over the symbol in the bottom left corner of your IDE and select the RIPS entry.



Start a New Scan

If you want to start a new scan, select the  icon from the RIPS plugin tool window. You can then select an existing application already scanned in RIPS (or create a new one) and choose available options for your scan. By selecting zip project files the plugin will automatically select all files which are relevant for the can, starting from your project's root, and will pack these into a temporary zip file. Alternatively, you can select choose existing archive and pick your project's zip/tar.gz/tar.bz2 archive that you have created.


You can also select a specific RIPS analysis profile which you want to use for your project. Please note that the available scan options are limited and that starting a scan in the web interface of RIPS leaves you with more options to customize the scan. After proceeding, the archive will be uploaded and a scan is started with RIPS. During the scan, the list of detected security issues is updated in regular intervals and can be reviewed immediately. Although this task runs in the background, it is not recommended to edit your source code during a scan because the changes may cause the analysis results to be annotated incorrectly.

OptionDescription
Select archiveChoose between uploading an archive created by the plugin or one created by yourself.
Scan IDE excluded filesOpt-in to add files to plugin created archives even though they are marked as excluded in the project structure.
Remove upload

Remove the upload from the RIPS server once the scan is complete.

Store codeOpt-out completely removes your analyzed source code from the RIPS server. Only a minimal summary of code lines of the issue is stored.
VersionThe name of the scan, in most cases this is the version number of your project.
Analysis ProfileSelect a RIPS analysis profile that should be used for the scan.
Analysis DepthHigh analysis depth requires more memory and scan time while a low analysis depth leads to better performance but can miss deeply nested vulnerabilities.

Instead of using the plugin tool window, the actions can also be executed from the toolbar at the top of your IDE by navigating to Tools → RIPS. By default, a shortcut is assigned to Upload and analyze current project. To edit or assign shortcuts, you can go to File → Settings → Keymap → Main menu → Tools → RIPS.

Download Existing Analysis Results

It is possible to download existing analysis results from the API and display them in the current project. After the initial setup, clicking on the  icon in the RIPS plugin tool window allows you to choose from your existing applications and their corresponding scans. You can also create a new application here. Be aware that selecting an application and its scan doesn't lead to an automatic download of the issues. You need to click on for the scan to downloaded and applied to your source code.

Note: Source code differences between the currently opened code and the one used for the scan can lead to visualization issues.

Issues

You can double-click on the issues shown in the issue list in order to jump to the sink in your source code. Doing so will also show a summary, description, and comments for this issue in the panel next to the tree.

When clicking right on an issue, you are presented with the following three options:

  • Navigate to the issues' source, concatenation point, or sink if they are available.
  • Review the issue. This will update the icon next to the issue accordingly and depending on the type of review, the issue won't be annotated in the source code anymore (takes effect after editing the source code or re-opening the file).
  • Add a comment that can be viewed by your team.

Here you can find more information:

Troubleshooting

  • When changing the UI-theme of the IDE, the font color in the summary and markup pane will not change until restarting the IDE.
  • If you have problems starting or loading scans, please try to delete the plugin configuration located at path/to/project/.idea/RipsProjectSettings.xml. 



  • No labels