Versions Compared

Old Version 6

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version Current

changes.mady.by.user Wara Hermosa Fernández

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section shows you how to integrate the Kiuwan IDE Plug-In into Eclipse-based IDEs. 

Info

The Kiuwan Plug-In for Eclipse IDEs is available in both Analyzer and Viewer mode.


Contents:

Table of Contents

Introduction

Excerpt Include
Kiuwan for Developers
Kiuwan for Developers
nopaneltrue

Supported Eclipse-based IDEs

The Kiuwan IDE Plug-In has been successfully tested in following IDEs and minimum versions:

  • Eclipse: Luna (4.4) 

  • RAD (Rational Application Developer for WebSphere): 9.5

  • IBM Rational Developer for i Systems: 9.5, 9.6

  • IBM Rational Developer for z Systems: 9.5.1

For others IDEs and versions, please contact Kiuwan Technical Support.

Note
titleNote for Eclipse 2019-12 users (or following versions)

Due to changes in the Eclipse core, a special installation procedure is needed from Eclipse 2019-12.

Please follow these steps if your Eclipse version is equal or greater than 2019-12:

  1. Open the "Window" > "Preferences" dialog.
  2. Select "Install/Update" > "Available Software Sites" option.
  3. Click on the "Add..." button. A new dialog will be shown with two text fields.
  4. Set the "Name" field to "Eclipse Oxygen.2"
  5. Set the "Location" field to "http://download.oracle.com/otn_software/oepe/library/eclipse-oxygen.2"
  6. Click the "Add" button. This will add the defined software site to your list.
  7. Check the "Eclipse Oxygen.2" software site in the list if it is not already checked.
  8. Follow the standard installation instructions.

Requirements

The Kiuwan IDE Plug-In requires Java 8 or above (either JDK or JRE)

Table of Contents

Introduction

Kiuwan allows for a true shiflteft approach by integrating with all the main IDEs.

Kiuwan for Developers (K4D) is a plug-in for development IDEs that facilitates and automates compliance with security normatives, quality standards and best practices for several languages.

It provides the following benefits:

  • Security Vulnerabilities Detection - Kiuwan for Developers allows the developers to detect and fix security vulnerabilities such as Injection (SQL, XML, OS, etc), XSS, CSRF, etc. directly integrated within their development IDEs).
  • Adoption of Security and Coding Standards – Ensuring the compliance of standards (CWE, OWASP, CERT-Java/C/C++, SANS-Top25, WASC, PCI-DSS, NIST, MISRA, BIZEC, ISO/IEC 25000 and ISO/IEC 9126) by a development department can be a long and tedious task without the support of some sort of tool that will facilitate and automate this work. This plugin connects with Kiuwan and harness the power of its security models and audits to enforce security standards and policies.
  • Full vulnerabilities documentation – Developers have access, right on their IDEs, to the full Kiuwan vulnerabilities documentation of any of the displayed vulnerabilities listed for the specific projects. This includes code samples on how to fix them in the same language of the project.
  • Automatic Error Prevention – Coding standards are specific rules for a programming language. By implementing and monitoring compliance with these standards at the time the code is entered you can avoid errors and reduce the time and cost of debugging and testing activities.

Kiuwan for Developers monitors and reports on the security, quality and efficiency of your code at the point that it is written. This immediate feedback provides you with the opportunity to improve your code before it is delivered.

Supported IDEs and Requeriments

 

Info
titleSupported IDEs

Kiuwan for Developers (K4D) has been succesfully tested in following IDEs and minimum versions:

  • Eclipse : Luna (4.4) 

  • RAD (Rational Application Developer for WebSphere) : 9.5

  • IBM Rational Developer for i Systems : 9.5, 9.6

  • IBM Rational Developer for z Systems : 9.5.1

K4D is also available for Microsoft Visual Studio (please visit Kiuwan for Developers for Microsoft Visual Studio)

For others IDEs and versions, please contact Kiuwan Technical Support

...

titleJava 8 required

...

.

You may download it from http://www.oracle.com/technetwork/java/javase/downloads/index.html.

Please visit

...

Installation and Network Configuration for further information.

Info
titleNote for Linux/

...

Unix users

If

...

you are running Eclipse under Linux/Unix you can experience problems after

...

installing the plug-in

That's due to some well-known problems with GTK3 use by Eclipse distributions. Please visit

...

the following links for

...

further information.

To solve this issue, please

...

modify eclipse.ini :

Add to your eclipse.ini:

--launcher.GTK_version 

before the line:  

-

...

 

Installation

 

To install Kiuwan for Developers just follow the steps below:

  1. Open Eclipse and, in the main menu, click on Help >> Install New Software...
  2. Select the Add... option and type the following values:
    1. Name: Kiuwan
    2. Location: https://www.kiuwan.com/pub/updatesite
  3. Pressing Ok will save this new update site and Eclipse will query our server to retrieve available features and plugins
  4. The Kiuwan for Developers feature will appear in the list below, check it and click on Next >
  5. Read and accept our Terms of Use
  6. Accept the certificate used to sign our product
  7. When the installation finishes and Eclipse asks to restart the IDE, please do so

 

Image Removed

 

Image Removed

 

If installation successfully completes, Kiuwan for Developers will be up and running upon restart!

Updates

Kiuwan for Developers checks automatically for updates on Eclipse startup and on a daily basis after that.

If you need to check it manually, you can do so through the standard Eclipse mechanisms, or by simply going to Window >> Preferences >> Kiuwan and pressing the Check for updates button.

 

Image Removed

Configuration

 

Connection Settings

 

Info
titleK4D Configuration

After installation, you need to configure K4D to connect to Kiuwan servers.

K4D connection settings is configured at Window >> Preferences >> Kiuwan >> Connection Settings

Image Removed

Fill in you User and Password of your Kiuwan Account and click Check Credentials to validate access.

In case you are using a proxy, please configure Proxy Settings.

-launcher.appendVmargs 

Installation

To install Kiuwan for Developers just follow the steps below:

StepsImage
  1. Open Eclipse and in the main menu click Help > Install New Software...
  2. Select Add... and type the following values:
    1. Name: Kiuwan
    2. Location: https://static.kiuwan.com/download/updatesite
  3. To save this new update site, press Ok. Eclipse will query our server to retrieve available features and plugins
Image Added
  1. The Kiuwan for Developers feature will appear in the list below, check it and click on Next >
  2. Read and accept our Terms of Use
  3. Accept the certificate used to sign our product
  4. When the installation finishes and Eclipse asks to restart the IDE, please do so

Image Added

If the installation was successfully completed, Kiuwan for Developers will be up and running upon restart!

Updates

The Kiuwan IDE Plug-In checks automatically for updates on Eclipse startup and on a daily basis after that.

If you need to check it manually, you have two options:

  • Through the standard Eclipse mechanisms, or
  • Go to Windows > Preferences > Kiuwan and press the Check for updates button in Plug-in updates section.

Image Added

Although the central configuration is also automatically synchronized at IDE startup, it is possible to force its update using the Force update button in the Central configuration updates section.

Configuration

Connection Settings

After installation, you need to configure the Kiuwan Plug-In to connect to the Kiuwan servers.

StepsImage

Find the connection settings under Windows > Preferences > Kiuwan > Connection Settings.  

Fill in the User and Password with those of your Kiuwan Account and click Apply and Check Credentials to validate access.

In case you are using a proxy, please configure Proxy Settings.

Info

Do not change the default server URL (https://www.kiuwan.com/saas )

  • This URL is the address where Kiuwan SaaS is located.
  • This default URL should only be changed if you are using Kiuwan On-Premises Monolithic Version (KOP). In that case, you must configure the URL of your KOP instance.


Image Added

...


Analysis Filters

You can configure file inclusion and exclusion patterns for the analysis. Please visit Source Code Filters for further help on this.

By default,

...

only

...

Exclude patterns are configured (containing a list of file patterns commonly containing not relevant

...

sources to be analyzed).
Also, you can modify the default extensions associated

...

with available language engines.

Image Modified

...


Visualization Options

Under Visualization Options you can configure:

  • Automatic remote defects synchronization

    • If checked,

...

    • the plug-in will automatically update the remote defects list when you select a project in Eclipse (mapped to a Kiuwan application) and that defects list is empty.

  • Mark defects as 'potential match" ...
    • In case the Kiuwan server reports a defect

...

    • which source code text does not match the source within your Eclipse project, that defect is a "potential match"

...

    • If checked,

...

    • the plug-in will mark those defects as "potential match"

...

Image Modified

 

 

 


This configuration is general to

...

the plug-in installation, but you can configure analysis filters per-application. 

...

Go to Project

...

> Properties

...

> Kiuwan

...

> Analysis Filters and

...

check Enable project specific settings.

 

Image Modified

...

Map your Eclipse project to Kiuwan Application

After

...

the Kiuwan IDE Plug-In is installed and the connection is configured, you are ready to map your Eclipse project to a Kiuwan application.

To map your Eclipse project to Kiuwan

...

:

  1. Go to Project

...

  1. > Properties
  2. Right-click on your project and select Configure

...

  1. > Convert to Kiuwan Project...
  2. Right-click on your project and select Properties.

...

The following dialog will

...

open.

 

...

Image Modified

 


Mapping your Eclipse project to a Kiuwan Application allows

...

executing a plug-in analysis synced to the Kiuwan Model defined at the application level.

This means that

...

the plug-in analysis will be executed with the same Model (rules, configuration, etc.) defined for

...

the Kiuwan application.

Please visit Models Manager User Guide for further help on Kiuwan Models.

...

Also, mapping your project to a Kiuwan Application allows

...

you to download the defect list found by Kiuwan servers to

...

Eclipse, so you can work locally on fixing those defects.

...

 

Kiuwan Plug-In

...

execution modes

 

...

titleExecution modes

...

The Kiuwan Plug-In can be configured to run in different execution modes:

  • Manual
    • You manually invoke the Kiuwan

...

    • analysis
  • Automatic
    • Kiuwan analysis is executed automatically upon changes in the code.

...

By configuring

...

the plug-in, you can decide when Kiuwan will be executed and

...

which files will be analyzed.

 

Info
titleAnalysis permissions

To be able to analyze in Eclipse, your Kiuwan user must have been configured with, at least, read permission on the Kiuwan application

...

Manual analysis

...

If your Eclipse project is NOT configured to "Build Automatically", Kiuwan will only run on-demand.

Image Modified

...

In this case, to

...

manually execute the analysis,

...

 left-click on the selected

...

item (file, folder, project) and select

...

Run Kiuwan Analysis

...

.

...

Kiuwan will then execute the analysis on the selected item(s).

...

Image Modified

 

Automatic analysis

...

If your Eclipse project is configured to

...

Build Automatically

...

, Kiuwan will run automatically and you can configure when the analysis will run and on what files.

...

The Kiuwan IDE Plug-In execution mode is configured at Window

...

> Preferences

...

> Kiuwan

...

> Analysis Options


Info

...

If your Eclipse project is configured to "Build Automatically and "Automatic quality analysis" is checked

...

:

Kiuwan will analyze a file after you save the file. Only the selected file will be analyzed.

 


Image Modified

 


Info
titleBuild options - Do full builds

If your Eclipse project is configured to

...

Build Automatically and

...

Do full builds

...

is checked

...

: 

Kiuwan will analyze the complete project when you Clean the project.

Please note that this option is only available if

...

Automatic quality analysis

...

is checked.

...


Image Modified

 

...


Kiuwan IDE Plug-In Defects List

...

To view the analysis' defects list, go to Window

...

> Show View

...

> Other

...

Kiuwan

...


Image Modified

...


Local defects list

 

The local defects list

...

displays defects found during local analysis executed within your Eclipse.

...

Image Modified

...

 

...

Double-

...

click on a defect

...

to open the associated file in the Eclipse editor

...

. The cursor will be placed on the affected line. 

Right-

...

click on a defect

...

to

...

This option will open an internal browser to display Rule Information.

In case you are presented with Kiuwan Login page, please use the same credentials than used in K4D Connection Settings.

inspect the Rule information of a defect to better understand it. (A browser will open to display the Rule Information page. You may be asked for your Kiuwan credentials.)


Image Added

Vulnerabilities details (Source and Sink) 

 

Image Removed

Vulnerabilities details (Source and Sink) 

 

...

Security defects (i.e.

...

vulnerabilities) are prefixed by a > icon. 

Clicking

...

the > icon will open details on associated Source and Sink of the defect.

Just double-click on any of them to open source file and line.

 

Image Modified

 


Local Analysis Configuration

...

The Kiuwan IDE Plug-In will execute the analysis with the rules contained into the model associated to the mapped Kiuwan application.

But

...

it also allows you to reduce the scope of the analysis to a subset of that model.

When you execute the local analysis on your Eclipse project, the number of defects can be quite large. If you are not going to work on all of them, you should consider

...

reducing the analysis to

...

let you concentrate on the most important subset of defects.

...

The Kiuwan IDE Plug-In allows you to configure the local analysis to only report defects based

...

on Priority,

...

 Characteristic,

...

 Language or even a

...

subset of a file (based

...

on file path substring)

This would allow you to concentrate on a specific set of rules or files, reducing the number of defects that appear in the list. Only those defects matching the filters will be displayed.

Info
titleMax number of defects

An important point is to set a limit for the number of defects displayed in the list

...

It's set to 100 by default. You can increase such limit, but performance of your Eclipse can be seriously damaged. Take care not to set that limit to a high number.


You can access the Local Analysis Configuration by clicking

...

on the Image Modified icon of the Local Defects list. 

Note: All the options unchecked are equivalent to all checked.

Image Modified

 


Configuring Defects View

Regardless of you have configured the subset of defects of K4D analysis (see above), you can further reduce the defects view by defining additional filtering conditions.

...

The most important filter is Scope:

  • File option will only display defects of the selected file in the Eclipse source file editor
  • Project option will display the defects of the entire project

Additionally, you can define filters based on Priority, Characteristic and Language.

...

Click the Image Modified icon of Local Defects

...

listDefine to view filters.

...

Note: All

...

the unchecked options are equivalent to all the checked ones.

Image Modified

Server defects list

Info

...

The server defects list displays defects of the application stored

...

in the Kiuwan servers.

This utility allows developers to download defects found during the Kiuwan analysis of the application in a centralized

...

environment.


For example, let's consider that at some predefined point in the application life cycle (for example,

...

previously to commit a new release to a pre-production environment), the application is analyzed in a centralized environment.
This analysis finds some defects that must be fixed before deploying to next phase. So, you, as a developer, will be notified that you must fix some blocking defects. 
When you start working on it, you need to have full and easy access to those "server" defects. 
Why do you need to have access to server defects? Because it's very likely that

...

your Local defect list

...

is different

...

from the Server defect list:
  • Your current source code could be different

...

  • from the source code of the server (you or

...

  • others might have already

...

  • modified that version)
  • The list of defects to be fixed will be

...

  • most probably a subset of all defects found during the server analysis (more on this topic below)

In these cases, you will need to have access to server defects.

 

Image Modified

Source of Server defects list

...

Depending on your needs, the source of server defects could be different:
  • Last baseline analysis
    • All the defects found during last complete application analysis (i.e. the Application Baseline)
  • Action plan
    • Defects included within an Action

...

    • Plan (you can select the plan from the app's list of available action plans)
  • Audit Delivery
    • Defects that must be fixed so the Audit of

...

    • the delivery can be

...

    • successful (you can select the delivery among the list of executed deliveries)

Please, visit Kiuwan Life Cycle documentation for a full explanation of Baseline, Delivery and Audit concepts).

...

Click the Image Modified icon of the Server Defects list to access the Source of Server Defects

Note: All

...

the unchecked options are equivalent to all the checked ones.

Image Modified

...

 

...

Filter server defects to

...

download based

...

on Priority,

...

Characteristc, Language or File Pattern, and to configure the source of server defects. 

Info
titleMax number of defects

An important point is to set a limit for the number of defects displayed in the list

By default, it's set to 100. You can increase such limit, but the performance of

...

Eclipse can be seriously damaged.

...

Do not to set that limit to a high number.

 


Configuring Filters

Besides to configure source and filters, you can further reduce the server defect list by defining additional filtering conditions.

...

Click the Image Modified icon of the Server Defects list to define view filters.

Note: All

...

the unchecked options are equivalent to all the checked ones.

Image Modified

Filter

...

Description

...

Scope

...

File

...

= Only display defects of the selected file in the Eclipse source file editor

Project

...

Additionally, you can define filters based on PriorityCharacteristic and Language.

Because your source code could be different to the  source code of the analysys server, it might happens that some server defects could not match your current source code.

...

= Display the defects of the entire project

Orphan defectsDisplay only those defects matching your

...

current source code (defects with the associated local resource) or those that

...

don't (defects without associated local resource), or all of them.
Muted

...

Display a server defect could have been muted (for

...

example, because it's a false positive or because it's a so special condition that must not be fixed)

...

.

...

Life Cycle

...

Status

To Review, Reviewed, or None

...

When server defects are downloaded, you can filter defects based on their status. 

Reviewed Locally

If you work on a to-review server defect, right-clicking on the defect you can "Mark as reviewed locally" that defect (see image below)

...

.

Image Modified

Then, that defect will be marked as

...

Reviewed locally

...

Image Modified

Additionally, you can define filters based on PriorityCharacteristic and Language.

Support and Troubleshooting 

If you experience problems with the Kiuwan plugin for Eclipse, you can read Kiuwan 

...

Troubleshooting to find a solution, or if you prefer you can collect troubleshooting information and send it to us.

 

Info
titleSupport Information

Important information for troubleshooting is

...

scattered across several log and configuration files.

To make this process easier to you, just go to Window

...

> Preferences

...

> Kiuwan

...

> Support and press the Extract support data button.

Choose the folder where you want to save this information, and submit to our technical support team the compressed file generated there. 

...

Visit Contact Kiuwan Technical Support on how to contact us. We will address your problem as soon as possible.

...

 

 

...