This plugin leverages IntelliJ IDEA Ultimate’s built-in interprocedural data flow analysis engine to deliver robust security (taint) analysis for your code.
About Taint Analysis
Taint analysis is a method used in security testing to trace the flow of potentially harmful (“tainted”) data through a program. It identifies paths where an untrusted input (source) might reach sensitive operations (sinks) without proper validation or sanitization, helping to prevent security vulnerabilities like SQL injection, XSS, and more.
Supported Vulnerability Types
Using preconfigured settings, this plugin detects the following types of vulnerabilities:
Cross-Site Scripting (XSS)
Command Injection
SQL Injection
Path Traversal
Supported Languages
Currently supports Java and Kotlin.
Upcoming Features
Soon, users will have the flexibility to define custom configurations, including custom sinks, sources, sanitizers, and more.
Jetbrains: you asked me to update my review, claiming it was incorrect. There is no edit button, so I am adding a new review.
Originally, I rated and noted the unresolvable dependency error. You said to enable the Java Persistence plugin, and that makes the error go away. Great! (But I still rate it low, because that's not documented or automatically enabled.).
Then, I found that the plugin doesn't do anything without paying $180 USD a year. You said that's not true. But I can't find any way to get it to work. The Tools -> Security Analysis menu option is disabled. If I open the Problems -> Security Analysis pane (provided by this plugin), I get a screen that says "Dataflow-powered security analysis for Java and Kotlin". The "Run Tain Analysis" and "Show Analysis Demo", the only buttons, are disabled.
So I don't see why you say I'm incorrect. That's what your docs say.
To complete the review: the plugin doesn't work without a subscription, per Jetbrains. It should be marked as a paid plugin. At least that way I would have known what to expect, vs wasting time on it. There are other code scanning solutions with the same level of claimed functionality available at a fraction of this price.
Our website uses some cookies and records your IP address for the purposes of accessibility, security, and managing your access to the telecommunication network. You can disable data collection and cookies by changing your browser settings, but it may affect how this website functions. Learn more.
With your consent, JetBrains may also use cookies and your IP address to collect individual statistics and provide you with personalized offers and ads subject to the Privacy Notice and the Terms of Use. JetBrains may use third-party services for this purpose. You can adjust or withdraw your consent at any time by visiting the Opt-Out page.
Jonathan Hedley
14.01.2025Jetbrains: you asked me to update my review, claiming it was incorrect. There is no edit button, so I am adding a new review.
Originally, I rated and noted the unresolvable dependency error. You said to enable the Java Persistence plugin, and that makes the error go away. Great! (But I still rate it low, because that's not documented or automatically enabled.).
Then, I found that the plugin doesn't do anything without paying $180 USD a year. You said that's not true. But I can't find any way to get it to work. The Tools -> Security Analysis menu option is disabled. If I open the Problems -> Security Analysis pane (provided by this plugin), I get a screen that says "Dataflow-powered security analysis for Java and Kotlin". The "Run Tain Analysis" and "Show Analysis Demo", the only buttons, are disabled.
If I follow the "Learn more" link to https://www.jetbrains.com/help/qodana/2024.3/taint-analysis.html, the page says "Taint analysis is supported by the Qodana for PHP and Qodana for JVM linters under the Ultimate Plus license" which links to "https://www.jetbrains.com/help/qodana/2024.3/pricing.html", and Ultimate Plus (the level your page says is required, described at "https://www.jetbrains.com/qodana/buy/?billing=yearly", is $180 USD.
So I don't see why you say I'm incorrect. That's what your docs say.
To complete the review: the plugin doesn't work without a subscription, per Jetbrains. It should be marked as a paid plugin. At least that way I would have known what to expect, vs wasting time on it. There are other code scanning solutions with the same level of claimed functionality available at a fraction of this price.