Using the WhiteHat Sentinel IntelliJ Plugin

The IntelliJ plugin allows developers to work with Sentinel directly from IntelliJ.

Logging In

The IntelliJ plugin allows developers to work with Sentinel directly from IntelliJ. Once you have installed the WhiteHat Sentinel IntelliJ Plugin as described under Installation, perform the following steps to use the WhiteHat Sentinel IntelliJ Extension:

  1. Open IntelliJ from your applications and select View.

    IntelliJ using plugin 1

  2. Select Tool Windows.

  3. Select WhiteHat Sentinel IDE Plugin.

  4. Log in by typing your Sentinel User Name and Password or type a valid API Key in the text fields.

    A valid API key must be entered before the plugin can be used. To find out how to generate an API key on Sentinel see Generating an API key.

    IntelliJ using plugin 2

  5. Confirm that the correct server is listed:

    • sentinel.whitehatsec.com for non EU customers

    • sentinel.whitehatsec.eu for EU customers

Reviewing Your Vulnerabilities

Once you have logged in, you will be able to pick an application and manage vulnerabilities.

Select the application you want to review from the drop-down list and click on the filter icon (filter).

From here you can search for vulnerabilities by Vuln ID, Vuln Status, Rating, or Date opened. Enter your filter parameters and click the filter icon.

intelli j select app

Double-click on a specific Vuln ID in the list to move to the Debug Vulnerabilities tab and see trace IDs and the associated code snippets for that vulnerability. Click on the down-arrow next to the Vuln ID to see the Attack Vector IDs, and click on the down-arrow next to the Attack Vector ID to see the Attack Vector Types, Source Code Locations, etc.

using intellij3
If the source code package has not yet been loaded into the IDE, you may specify a source folder. Alternatively, if you do not specify a source folder, you will be asked to navigate to the file path using a Browse File pop-up.

Click a specific attack vector type to see the associated code snippet, double-click to bring up that code in your environment. If the plugin cannot locate the correct string in your current code, it will look for the method, if the method has changed and can’t be identified, you will see an error: Not able to match line and method.

In addition to the code snippet, the WhiteHat Plugin will show you a general description and solution for the vulnerability, allow you to ask WhiteHat Security Engineers a question and see their response, or view directed remediation advice.

eclipse tabs

Select the tab to see the information.

Description

The Description tab will offer a description of the vulnerability class in question, as in the example below:

intelli j desc

Solution

The Solution tab will offer an approach to resolving the vulnerability class in question, as in the example below:

intelli j sol

Directed Remediation

The Directed Remediation tab will offer one or more suggested changes to the code that will remediate the vulnerability in question, as shown below:

suggested change

You may base your code changes on the examples given, or copy and paste the code directly, or download the code as a patch using the Download Patch link.

If you download the patch or copy and paste the code, you may also need to download the dependencies (there is a Download Dependencies link next to Download Patch). Unless the dependencies are downloaded and installed, the new code may not compile correctly. This link will take you to a zipped file in WhiteHat’s Customer Portal, which you will need to download and install (the file name will be similar to remediation.security-api-1.0-SNAPSHOT.jar.zip).

Ask a Question

In addition, the Q&A tab offers the opportunity to ask questions about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers.

qanda

If questions or answers already exist for this vulnerability, you will see them in the list on the Q&A tab.

Clicking on Ask a Question will bring up a dialogue box that will allow you to enter a question about this vulnerability and receive answers directly from WhiteHat Security Threat Research Engineers, as shown below:

ask a question2

Enter your question and click Submit.

If a question has already been asked or answered, it will appear in the list.