Security Analysis by Qodana

Compatible with IntelliJ IDEA Ultimate
Screenshot 1
Screenshot 2

Security Analysis by Qodana

This plugin leverages IntelliJ IDEA Ultimate’s built-in interprocedural data flow analysis engine to deliver robust security (taint) analysis for your code.

About Taint Analysis

Taint analysis is a method used in security testing to trace the flow of potentially harmful (“tainted”) data through a program. It identifies paths where an untrusted input (source) might reach sensitive operations (sinks) without proper validation or sanitization, helping to prevent security vulnerabilities like SQL injection, XSS, and more.

Supported Vulnerability Types

Using preconfigured settings, this plugin detects the following types of vulnerabilities:
  • Cross-Site Scripting (XSS)
  • Command Injection
  • SQL Injection
  • Path Traversal

Supported Languages

Currently supports Java and Kotlin.

Upcoming Features

Soon, users will have the flexibility to define custom configurations, including custom sinks, sources, sanitizers, and more.

What’s New

Unfortunately, JetBrains s.r.o. didn’t leave any update notes.
Feb 06, 2025
Version 251.20015.29

Rating & Reviews

2.6
2 Ratings (72,811 Downloads)
5
4
3
2
1

Jonathan Hedley

14.01.2025

Jetbrains: you asked me to update my review, claiming it was incorrect. There is no edit button, so I am adding a new review.

Originally, I rated and noted the unresolvable dependency error. You said to enable the Java Persistence plugin, and that makes the error go away. Great! (But I still rate it low, because that's not documented or automatically enabled.).

Then, I found that the plugin doesn't do anything without paying $180 USD a year. You said that's not true. But I can't find any way to get it to work. The Tools -> Security Analysis menu option is disabled. If I open the Problems -> Security Analysis pane (provided by this plugin), I get a screen that says "Dataflow-powered security analysis for Java and Kotlin". The "Run Tain Analysis" and "Show Analysis Demo", the only buttons, are disabled.

If I follow the "Learn more" link to https://www.jetbrains.com/help/qodana/2024.3/taint-analysis.html, the page says "Taint analysis is supported by the Qodana for PHP and Qodana for JVM linters under the Ultimate Plus license" which links to "https://www.jetbrains.com/help/qodana/2024.3/pricing.html", and Ultimate Plus (the level your page says is required, described at "https://www.jetbrains.com/qodana/buy/?billing=yearly", is $180 USD.

So I don't see why you say I'm incorrect. That's what your docs say.

To complete the review: the plugin doesn't work without a subscription, per Jetbrains. It should be marked as a paid plugin. At least that way I would have known what to expect, vs wasting time on it. There are other code scanning solutions with the same level of claimed functionality available at a fraction of this price.

0

Jonathan Hedley

10.01.2025

Needs to be marked as a Paid plugin - if you can get the plugin to run, you'll find you need to buy a $180 USD subscription to use it. https://www.jetbrains.com/qodana/buy/?billing=yearly

Requires "Ultimate Plus". Because of course there's something more ultimate than Ultimate...

+1

You've sent us a marketing email about it and it doesn't work at all. What a circus!

0

Additional Information

Vendor:
Plugin ID:
com.intellij.jvm.dfa.analysis