Using the WhiteHat Sentinel Eclipse Plugin

As described in the section on Installation, once you have installed the WhiteHat plugin, your Eclipse toolbar will show the WhiteHat icon, and clicking on the icon will activate the plugin.

eclipsewith hat

Eclipse is very customizable; you can control where the WhiteHat Sentinel IDE Plugin frame appears in your environment. (If the WhiteHat Sentinel Plugin is not visible, you can go to the Eclipse "Window" menu and select "Show View." Choose "Other" and look in the folder called "View WHS Findings" for the WhiteHat Sentinel IDE Plugin.)

Logging In

In the plugin window, confirm that the server is correct (sentinel.whitehatsec.com or, for EU customers, sentinel.whitehatsec.eu); then enter your API Key (preferred) or your Sentinel username and password, and click Log in:

logging in in eclipse

If you’re have trouble logging into the WhiteHat Eclipse IDE Plugin, your default Eclipse read timeout setting may be too short. Try configuring it to a longer value in the eclipse.ini file. See the Eclipse documentation for more information on setting this value.

Reviewing Your Vulnerabilities

Once you have logged in, you will be able to pick an application and manage vulnerabilities.

Select the application you want to review from the drop-down list and click on the filter icon (filter).

From here you can search for vulnerabilities by Vuln ID, Vuln Status, Rating, or date opened; enter your filter parameters and click on the filter icon.

eclipse vuln listing

Double-click on a specific Vuln ID in the list to move to the Debug Vulnerabilities tab and see trace IDs and the associated code snippets for that vulnerability; click on the down-arrow next to the Vuln ID to see the Attack Vector IDs, and click on the down-arrow next to the Attack Vector ID to see the Attack Vector Types, Source Code Locations, etc.

eclipse with attack vector type

Click on a specific attack vector type to see the associated code snippet.

eclipsewith snippet only

Next to the "Snippet" tab in which you can see the code and line numbers, you can also see "Description," "Solution," "Q&A," and, if the "Directed Remediation" tab is available, a suggested fix.

Double-click on the Attack Vector Type to bring up that code in your environment.

If the source code package has not yet been loaded into the IDE, you may specify a source folder; alternatively, if you do not specify a source folder, you will be asked to navigate to the file path using a "Browse File" pop-up.
eclipse with snippet and code

If the plugin cannot locate the correct string in your current code, it will look for the method.

if the string changes it goes to method

If the method has changed and can’t be identified, you will see an error:

if the method changes it says argh

In addition to the code snippet, the WhiteHat Plugin will show you a general description and solution for the vulnerability, allow you to ask WhiteHat Security Engineers a question and see their response, or view directed remediation advice.

eclipse tabs

Select the tab to see the information.

Description

The "Description" tab will offer a description of the vulnerability class in question, as in the example below:

intelli j desc

Solution

The "Solution" tab will offer an approach to resolving the vulnerability class in question, as in the example below:

intelli j sol

Directed Remediation

The "Directed Remediation" tab will offer one or more suggested changes to the code that will remediate the vulnerability in question.

You may base your code changes on the examples given, or copy and paste the code directly, or download the code as a patch using the "Download Patch" link. Note that if you copy and paste the code or download the code as a patch, you may also need to download the related dependencies using the "Download Dependencies" link. This will take you to a zip file of the dependencies used in the recommended patch(es); if the dependencies are not also installed appropriately, the code may not compile correctly.

Ask a Question

In addition, the Q&A tab offers the opportunity to ask questions about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers.

qanda

If questions or answers already exist for this vulnerability, you will see them in the list on the Q&A tab.

Clicking on "Ask a Question" will bring up a dialogue box that will allow you to enter a question about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers, as shown below:

ask a question2

Enter your question and click on "Submit."

If a question has already been asked or answered, it will appear in the list.

Note: There is a known issue for the plugin with Eclipse 4.2 in which a user logged in with the API key may have issues with the Ask a Question function.