Using the WhiteHat Sentinel Eclipse Plugin
As described in the section on Installation, once you have installed the WhiteHat plugin, your Eclipse toolbar will show the WhiteHat icon, and clicking on the icon will activate the plugin.
Eclipse is very customizable; you can control where the WhiteHat Sentinel IDE Plugin frame appears in your environment. (If the WhiteHat Sentinel Plugin is not visible, you can go to the Eclipse "Window" menu and select "Show View." Choose "Other" and look in the folder called "View WHS Findings" for the WhiteHat Sentinel IDE Plugin.)
In the plugin window, confirm that the server is correct (sentinel.whitehatsec.com or, for EU customers, sentinel.whitehatsec.eu); then enter your API Key (preferred) or your Sentinel username and password, and click Log in:
If you’re have trouble logging into the WhiteHat Eclipse IDE Plugin, your default Eclipse read timeout setting may be too short. Try configuring it to a longer value in the eclipse.ini file. See the Eclipse documentation for more information on setting this value.
Once you have logged in, you will be able to pick an application and manage vulnerabilities.
Select the application you want to review from the drop-down list and click on the filter icon ().
From here you can search for vulnerabilities by Vuln ID, Vuln Status, Rating, or date opened; enter your filter parameters and click on the filter icon.
Double-click on a specific Vuln ID in the list to move to the Debug Vulnerabilities tab and see trace IDs and the associated code snippets for that vulnerability; click on the down-arrow next to the Vuln ID to see the Attack Vector IDs, and click on the down-arrow next to the Attack Vector ID to see the Attack Vector Types, Source Code Locations, etc.
Click on a specific attack vector type to see the associated code snippet.
Next to the "Snippet" tab in which you can see the code and line numbers, you can also see "Description," "Solution," "Q&A," and, if the "Directed Remediation" tab is available, a suggested fix.
Double-click on the Attack Vector Type to bring up that code in your environment.
|If the source code package has not yet been loaded into the IDE, you may specify a source folder; alternatively, if you do not specify a source folder, you will be asked to navigate to the file path using a "Browse File" pop-up.|
If the plugin cannot locate the correct string in your current code, it will look for the method.
If the method has changed and can’t be identified, you will see an error:
In addition to the code snippet, the WhiteHat Plugin will show you a general description and solution for the vulnerability, allow you to ask WhiteHat Security Engineers a question and see their response, or view directed remediation advice.
Select the tab to see the information.
The "Description" tab will offer a description of the vulnerability class in question, as in the example below:
The "Solution" tab will offer an approach to resolving the vulnerability class in question, as in the example below:
The "Directed Remediation" tab will offer one or more suggested changes to the code that will remediate the vulnerability in question.
You may base your code changes on the examples given, or copy and paste the code directly, or download the code as a patch using the "Download Patch" link. Note that if you copy and paste the code or download the code as a patch, you may also need to download the related dependencies using the "Download Dependencies" link. This will take you to a zip file of the dependencies used in the recommended patch(es); if the dependencies are not also installed appropriately, the code may not compile correctly.
In addition, the Q&A tab offers the opportunity to ask questions about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers.
If questions or answers already exist for this vulnerability, you will see them in the list on the Q&A tab.
Clicking on "Ask a Question" will bring up a dialogue box that will allow you to enter a question about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers, as shown below:
Enter your question and click on "Submit."
If a question has already been asked or answered, it will appear in the list.
Note: There is a known issue for the plugin with Eclipse 4.2 in which a user logged in with the API key may have issues with the Ask a Question function.