Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents



This page describes the Kiuwan IDE Plug-In. 


Children Display



Kiuwan IDE Plug-In

Kiuwan allows for a true shift-left approach by integrating with all the main IDEs.

Kiuwan for Developers is a plug-in for


development IDEs that facilitates and automates compliance with security normatives, quality standards and best practices for several languages.

It provides the following benefits:


  • Security Vulnerabilities Detection - The plug-in allows developers to detect and fix security vulnerabilities, such as Injection (SQL, XML, OS, etc), XSS, CSRF, etc., directly within their development IDEs.
  • Adoption of Security and Coding Standards - The plug-in helps to ensure compliance to standards (CWE, OWASP, CERT-Java/C/C++, SANS-Top25, WASC, PCI-DSS, NIST, MISRA, BIZEC, ISO/IEC 25000 and ISO/IEC 9126) by automating the work. This plug-in connects with Kiuwan and harnesses the power of its quality models to prevent errors and automatically


  • standardize the code.


  • Automatic Error Prevention - The plug-in implements and monitors compliance to coding standards at the time the code is entered. Thus you can avoid errors and reduce the time and cost of debugging and testing activities.

The Kiuwan IDE Plug-in monitors and reports on the security, quality, and efficiency of your code at the point that it is written. This immediate feedback provides you with the opportunity to improve your code before it is delivered.

Supported IDEs and Requeriments



titleSupported IDEs

Kiuwan for Developers (K4D) has been succesfully tested in following IDEs and minimum versions:


RAD (Rational Application Developer for WebSphere) : 9.5

K4D is also available for Microsoft Visual Studio (please visit Kiuwan for Developers for Microsoft Visual Studio)

For others IDEs and versions, please contact Kiuwan Technical Support

titleJava 8 required

Kiuwan for Developers (K4D) requires Java 8 or above —either JDK or JRE— is required.

You may download it from

Please visit Setting Java 8 and JAVA_HOME for further info


titleNote for Linux/Uxis users

If your are running Eclipse under Linux/Unix you can experience problems after install K4D

That's due to some well-known problems with GTK3 use by Eclipse distributions. Please visit next links for furhter info.


To solve this issue, please modifiy eclipse.ini :

Add to your eclipse.ini:


before the line:  





To install Kiuwan for Developers just follow the steps below:

  1. Open Eclipse and, in the main menu, click on Help >> Install New Software...
  2. Select the Add... option and type the following values:
    1. Name: Kiuwan
    2. Location:
  3. Pressing Ok will save this new update site and Eclipse will query our server to retrieve available features and plugins
  4. The Kiuwan for Developers feature will appear in the list below, check it and click on Next >
  5. Read and accept our Terms of Use
  6. Accept the certificate used to sign our product
  7. When the installation finishes and Eclipse asks to restart the IDE, please do so


Image Removed


Image Removed


If installation successfully completes, Kiuwan for Developers will be up and running upon restart!


Kiuwan for Developers checks automatically for updates on Eclipse startup and on a daily basis after that.

If you need to check it manually, you can do so through the standard Eclipse mechanisms, or by simply going to Window >> Preferences >> Kiuwan and pressing the Check for updates button.


Image Removed



Connection Settings


titleK4D Configuration

After installation, you need to configure K4D to connect to Kiuwan servers.

K4D connection settings is configured at Window >> Preferences >> Kiuwan >> Connection Settings

Image Removed

Fill in you User and Password of your Kiuwan Account and click Check Credentials to validate access.

In case you are using a proxy, please configure Proxy Settings.


Analysis Filters

You can configure file inclusion and exclusion patterns for the analysis. Please visit Source Code Filters for further help on this.
By default, it's only configured Exclude patterns (containing a list of file patterns commonly containing not relevant source to be analyzed).
Also, you can modify the default extensions associated to available language engines.

Image Removed


This configuration is general to K4D installation, but you can configure analysis filters per-application. 

To do it,  go to Project >> Properties >> Kiuwan >> Analysis Filters and click on Enable project specific settings


Image Removed

Mapping your Eclipse project to Kiuwan Application

After K4D is installed and connection is configured, you are ready to map your Eclipse project to a Kiuwan application.

To map your Eclipse project to Kiuwan, you can do it in several ways:

  1. Project >> Properties
  2. Right-click on your project and select Configure >> Convert to Kiuwan Project...
  3. Right-click on your project and select Properties.

Next dialog will be open.


Image Removed


To map your Eclipse project to a Kiuwan Application allows to execute K4D analysis synced to the Kiuwan Model defined at application level.

This means that K4D analysis will be executed with the same Model (rules, configuration, etc.) defined for for the Kiuwan application.

Please visit Models Manager User Guide for further help on Kiuwan Models.


Also, mapping your project to a Kiuwan Application allows to download defect list found by Kiuwan servers to you Eclipse, so you can work locally on fixing those defects.


K4D execution modes


titleExecution modes

K4D can be configure to run in different execution modes:

  • Manual
    • You manually invoke the Kiuwan analysys
  • Automatic
    • Kiuwan analysis is executed automatically upon changes in the code.


By configuring K4D, you can decide when Kiuwan will be executed and what files will be analyzed.

Manual analysis


If your Eclipse project is NOT configured to "Build Automatically", Kiuwan will only run on-demand.



In this case, to manully execute the analysis, left-click on the selected item (file, folder, project) and select "Run Kiuwan Analysis".

Kiuwan will then execute the analysis on the selected item(s).


Image Removed


Automatic analysis


If your Eclipse project is configured to "Build Automatically", Kiuwan will run automatically and you can configure when the analysis will run and on what files.

K4D execution mode is configured at Window >> Preferences >> Kiuwan >> Analysis Options

titleBuild options - Automatic analysis

If your Eclipse project is configured to "Build Automatically and "Automatic quality analysis" is checked,  

Kiuwan will analyze a file after you save the file. Only the selected file will be analyzed.


Image Removed


titleBuild options - Do full builds

If your Eclipse project is configured to "Build Automatically and "Do full builds" is checked, 

Kiuwan will analyze the complete project when you Clean the project.

Please note that this option is only available if "Automatic quality analysis" is checked.


Image Removed


K4D Defects List


To view the analysis' defects list, go to Window >> Show View >> Other >>  Kiuwan


Image Removed


Local defects list


titleLocal defects list

Local defects list displays defects found during local analysis executed within your Eclipse.


Image Removed



Double-clicking on a defect will open associated file in Eclipse editor and place cursor on affected line.

Right-clicking and selecting a defect will allow you to inspect Rule Information for a better understanding of the defect.

This option will open an internal browser to display Rule Information.

In case you are presented with Kiuwan Login page, please use the same credentials than used in K4D Connection Settings.


Image Removed

Vulnerabilities details (Source and Sink) 


titleSource and Sink

Security defects (i.e. vulnerabilites) are prefixed by a > icon. 

Clicking on > icon will open details on associated Source and Sink of the defect.
Just double-click on any of them to open source file and line.


Image Removed


Local Analysis Configuration

K4D will execute the analysis with the rules contained into the model associated to the mapped Kiuwan application.

But K4D also allows you to reduce the scope of the analysis to a subset of that model.

When you execute the local analysis on your Eclipse project, the number of defects can be quite large. If you are not going to work on all of them, you should consider to reduce the analysis to to let you concentrate on the most important subset of defects. K4D allows you to configure the local analysis to only report defects based on PriorityCharacteristic, Language or even a subet of file (based on file path substring)

This would allow you to concentrate on a specific set of rules or files, reducing the number of defects that appear in the list. Only those defects matching the filters will be displayed.

titleMax number of defects

An important point is to set a limit for the number of defects displayed in the list

By default, it's set to 100. You can increase such limit, but performance of your Eclipse can be seriously damaged. Take care not to set that limit to a high number.


Note: All the options unchecked are equivalent to all checked.

Image Removed


Configuring Defects View

Regardless of you have configured the subset of defects of K4D analysis (see above), you can further reduce the defects view by defining additional filtering conditions.

Most important filter is Scope:

  • File option will only display defects of the selected file in the Eclipse source file editor
  • Project option will display the defects of the entire project

Additionally, you can define filters based on Priority, Characteristic and Language.

You can define view filters by clicking on  Image Removed icon of Local Defects list. 

Note: All the options unchecked are equivalent to all checked.

Image Removed

Server defects list


Server defects list displays defects of the application stored at the Kiuwan servers.

This utility allows developers to download defects found during Kiuwan analysis of the application in a centralized environnment.

For example, let's consider that at some predefined point in application life cycle (for example, previoulsy to commit a new release to a pre-production environment), the application is analyzed in a centralized environment.
This analysis finds some defects that must be fixed before deploying to next phase. So, you, as a developer,will be notified that you must fix some blocking defects. 
When you start working on it, you need to have full and easy access to those "server" defects. 
Why do you need to have access to server defects ? Because it's very likely that you Local defect list be different to Server defect list:
  • Your current source code could be different to the source code of the server (you or other might already have modified that version)
  • The list of defects to be fixed will be more probably a subset of all defects found during the server analysis (more on this topic below)

In these cases, you will need to have access to server defects.


Image Removed

Source of Server defects list


Depending on your needs, the source of server defects could be different :
  • Last baseline analysis
    • All the defects found during last complete application analysis (i.e. the Application Baseline)
  • Action plan
    • Defects included within an Action Plan (you can select the plan from the app's list of available action plans)
  • Audit Delivery
    • Defects that must be fixed so the Audit of a delivery can be successfull (you can select the delivery among the list of executed deliveries)

Please, visit Kiuwan Life Cycle documentation for a full explanation of Baseline, Delivery and Audit concepts).

You can access Source of Server defects by clicking on Image Removed icon of Server Defects list. 

Note: All the options unchecked are equivalent to all checked.

Image Removed


Besides to configure the source of server defects, you can further filter server defects to be downloaded based on Priority, Characteristic, Language or File Pattern

titleMax number of defects

An important point is to set a limit for the number of defects displayed in the list

By default, it's set to 100. You can increase such limit, but performance of your Eclipse can be seriously damaged. Take care not to set that limit to a high number.


Configuring Filters

Besides to configure source and filters, you can further reduce the server defect list by defining additional filtering conditions.

You can define view filters by clicking on  Image Removed icon of Server Defects list.

Note: All the options unchecked are equivalent to all checked.

Image Removed


An important filter is Scope:

  • File option will only display defects of the selected file in the Eclipse source file editor
  • Project option will display the defects of the entire project

Additionally, you can define filters based on PriorityCharacteristic and Language.

Because your source code could be different to the  source code of the analysys server, it might happens that some server defects could not match your current source code.

In these cases, you can filter by Orphan defects to display only those defects matching your currrent source code (defects with associated local resource) or those that doesn't (defects without associated local resource), or all of them.

A server defect could have been muted (for exmple, because it's a false positive or because it's a so special condition that must not be fixed). In these cases, you can use the Muted filter.

Any server defect may have an associated Life Cycle Status (To Review, Reviewed, or None) . When server defects are downloaded, you can filter defects based on their status. 

If you work on a to-review server defect, right-clicking on the defect you can "Mark as reviewed locally" that defect (see image below), and filter the defect list using Reviewed locally filter.

Image Removed

Then, that defect will be marked as "Reviewed locally"

Image Removed

Support and Troubleshooting 

If you experience problems with the Kiuwan plugin for Eclipse, you can read Kiuwan Documentation to find a solution, or if you prefer you can collect troubleshooting information and send it to us.


titleSupport Information

Important information for troubleshooting is scatered across several log and configuration files.

To make this process easier to you, just go to Window >> Preferences >> Kiuwan >> Support and press the Extract support data button.

Choose the folder where you want to save this information, and submit to our technical support team the compressed file generated there. 

Visit  Contact Kiuwan Technical Support on how to contact us. We will address your problem as soon as possible.




Working modes 

The Kiuwan IDE Plug-In can work in two different modes:

  • Analyzer mode

It allows you to analyze your application source code directly within (and fully integrated into) your IDE. You can analyze the whole project (or just some specific files), then review the detected vulnerabilities and defects, fix them and re-analyze, without exiting your IDE.

  • Remote Viewer mode

The plug-in also lets you "download" the vulnerabilities and defects stored in Kiuwan (in the last Baseline, or in a specific Delivery, or even the issues to be fixed according to a defined Action Plan). This way, you can go directly to the issues you must fix, just double-click on the defects and go directly to the offending line of code.

By using both modes, you can get a comprehensive understanding of:

  • the server view of the application, and 
  • your local view of the defects according to the changes you are making to the source code



Analyzer and Remote Viewer modes are separately licensed.

Please check your Kiuwan License to see available modes.


Supported IDEs 

The Kiuwan IDE Plug-In is available for following IDEs:

For others IDEs and versions, please contact Kiuwan Technical Support