A plugin for PhpStorm and Intellij IDEA . It integrates many features of the RIPS web interface directly into the IDE, such as starting new scans and viewing analysis results. It offers additional features to navigate in the source code for a better user experience when working on security bugs.
You can find out more about our PhpStorm plugin in our blog post.
You can find out more about our IntelliJ IDEA plugin in our blog post.
This plugin can only be used in combination with a RIPS SaaS account or a local RIPS installation (on-premises).
For PhpStorm and IntelliJ requirements please refer to the download section.
Note: On-Premises customers should update RIPS to run the latest and compatible API version.
Use the table below or get the plugin directly via the JetBrains plugin repository: http://plugins.jetbrains.com/plugin/10447-rips-security-analysis.
- Obtain the RIPS plugin file from the Jetbrains plugin repository, our file download or install it directly in your IDE (File → Settings → Plugins → Browse repositories...).
- In your IDE go to File → Settings → Plugins → Install plugin from disk.
- Browse to the location of the downloaded plugin file (.jar) and select it.
- Restart the IDE and the installation is complete.
After installing the plugin, go to File → Settings → Tools → RIPS Project Settings and insert the credentials of your RIPS account.
Note: Each Jetbrains user within your organization requires an individual RIPS account. Multiple IDE installations cannot connect to the same RIPS user account.
|Username||Email of your RIPS account that should be used for scanning.|
|Password||Password of your RIPS account that should be used for scanning.|
URL of the RIPS API that should be used for scanning.
|Highlight issues in editor||Highlight the sink of issues based on their severity in the IDE.|
|Show scan notifications||Display notifications about the scan status.|
|Show negatively reviewed issues||If you opt-in to this option, issues which are flagged as Fixed, Not exploitable, Not an issue or Duplicate will be downloaded by the plugin. |
Our recommendation is to keep this option inactive for better results.
The plugin is using the settings from your IDE. This can be deactivated by adding the API URL to the No proxy for: field in the proxy settings window. These changes will be applied after a new login in the plugin configuration window.
Plugin Tool Window
The Plugin Tool Window is required for most operations of the plugin. To open it either select View → Tool Windows → RIPS or hover your mouse over the symbol in the bottom left corner of your IDE and select the RIPS entry.
Start a New Scan
If you want to start a new scan, select the plugin tool window. You can then select an existing application already scanned in RIPS (or create a new one) and choose available options for your scan. By selecting zip project files the plugin will automatically select all files which are relevant for the can, starting from your project's root, and will pack these into a temporary zip file. Alternatively, you can select choose existing archive and pick your project's zip/tar.gz/tar.bz2 archive that you have created.icon from the RIPS
You can also select a specific RIPS analysis profile which you want to use for your project. Please note that the available scan options are limited and that starting a scan in the web interface of RIPS leaves you with more options to customize the scan. After proceeding, the archive will be uploaded and a scan is started with RIPS. During the scan, the list of detected security issues is updated in regular intervals and can be reviewed immediately. Although this task runs in the background, it is not recommended to edit your source code during a scan because the changes may cause the analysis results to be annotated incorrectly.
|Select archive||Choose between uploading an archive created by the plugin or one created by yourself.|
|Scan IDE excluded files||Opt-in to add files to plugin created archives even though they are marked as excluded in the project structure.|
Remove the upload from the RIPS server once the scan is complete.
|Store code||Opt-out completely removes your analyzed source code from the RIPS server. Only a minimal summary of code lines of the issue is stored.|
|Version||The name of the scan, in most cases this is the version number of your project.|
|Analysis Profile||Select a RIPS analysis profile that should be used for the scan.|
|Analysis Depth||High analysis depth requires more memory and scan time while a low analysis depth leads to better performance but can miss deeply nested vulnerabilities.|
Instead of using the plugin tool window, the actions can also be executed from the toolbar at the top of your IDE by navigating to Tools → RIPS. By default, a shortcut is assigned to Upload and analyze current project. To edit or assign shortcuts, you can go to File → Settings → Keymap → Main menu → Tools → RIPS.
Download Existing Analysis Results
It is possible to download existing analysis results from the API and display them in the current project. After the initial setup, clicking on theicon in the RIPS plugin tool window allows you to choose from your existing applications and their corresponding scans. You can also create a new application here. Be aware that selecting an application and its scan doesn't lead to an automatic download of the issues. You need to click on for the scan to downloaded and applied to your source code.
Note: Source code differences between the currently opened code and the one used for the scan can lead to visualization issues.
You can double-click on the issues shown in the issue list in order to jump to the sink in your source code. Doing so will also show a summary, description, and comments for this issue in the panel next to the tree.
When clicking right on an issue, you are presented with the following three options:
- Navigate to the issues' source, concatenation point, or sink if they are available.
- Review the issue. This will update the icon next to the issue accordingly and depending on the type of review, the issue won't be annotated in the source code anymore (takes effect after editing the source code or re-opening the file).
- Add a comment that can be viewed by your team.
Here you can find more information:
Your project may include multiple modules. Each one of these modules can be scanned as a different application. To scan a module or list previous issues, select it from the drop-down list in the upper left corner of the RIPS plugin. This list is only shown if more than one module is present in the current project.
- If you have problems starting or loading scans, please try to delete the plugin configuration located at path/to/project/.idea/RipsProjectSettings.xml.
- If you are using an unknown certificate authority requests to the API will fail with "SSLHandshakeException". It can be solved by importing the CA certificate into the Java keystore by running 'keytool -import -file cert.cer -alias customcert -keystore "%JAVA_HOME%\lib\security\cacerts"' (Windows) or 'keytool -import -file cert.cer -alias customcert -keystore "$JAVA_HOME/lib/security/cacerts"' (Unix).