Sonatype for VS Code
Sonatype for VS Code extension allows you to surface and remediate issues in your workspace dependencies, a true Shift Left in application security for development teams.
The Sonatype for VS Code extension is available on the Visual Studio Marketplace.
Supported Languages and Ecosystems
Java (Maven and Gradle)
JavaScript (npm, pnpm, and Yarn)
Go (Go modules)
Python (Poetry, pip)
Rust (Cargo)
PHP (Composer)
C (Conan (1.x only))
Installing Sonatype for VS Code
Sonatype for VS Code can be installed from within VS Code using the Extensions Manager or via the Microsoft Marketplace. The extension can be run in local VS Code, VS Code hosted in GitHub Codespaces, and supports Visual Studio Code Dev Containers as well as WSL2.
Configuring Sonatype for VS Code
At a minimum, the extension requires the IQ Server URL and the credentials to be set.
You can set up the URL and username by opening the extension settings in VS Code: Settings > Extensions > Sonatype for VS Code
The password can be entered in two ways:
Open the command palette by pressing
Command + Shift + Pon Mac orControl + Shift + Pon Windows, and then enter theSonatype: Set IQ Server Passwordcommand after the>prefix. If you want to clear the stored password, you can use theSonatype: Clear IQ Server Passwordcommand.You can also use the SONATYPE_IQ_PASSWORD environmental variable. This method requires the "Use Environment Variable for Password" checkbox to be selected in the extension settings. You might need to restart VS Code for the changes to be recognized.
In the extension settings, enter the Default Application ID before running the component analysis. This is required to use the appropriately scoped policy set for your application.
You can configure additional settings such as:
Including or excluding development dependencies from the overall analysis.
Parallelization - higher values mean the component analysis will be faster, but it requires more resources from VS Code; lower values mean the component analysis will be slower, but it will have less impact on VS Code's performance.
Starting the Analysis on VS Code Startup for the opened workspace.
Restricting the number of versions shown in the Version History view that are older than the version in use. Default is 10, but you can change it based on your preferences.
Overriding the Configuration At Project Level
You can override the properties by including a Sonatype configuration file in the project's root folder with one of the following filenames:
.sonatype-config.sonatype-config.yml.sonatype-config.yaml
In this file, you can choose at per project (workspace folder) level which Lifecycle application is used for analysis; whether to include or exclude development dependencies; and you can also enforce the ecosystem for the current project (you may want to do this to exclude analysis of a certain ecosystem in a given folder or to specify only certain ecosystems to be analyzed).
Syntax with examples is as follows:
iq-for-vscode: applicationId: application-id-in-lifecycle includeDev: false type: ['maven', 'npm']
Possible values for the type field above are: 'maven', 'gradle', 'npm', 'yarn', 'go', 'pip', 'poetry', 'cargo', 'composer', and 'conan'.
For Maven, the settings.xml to be used can also be overridden. The path to the settings.xml can be specified as follows:
iq-for-vscode:
maven:
settingsXmlPath: '/.m2/alternative-settings.xml'For pnpm, the default list depth for transitive dependencies is set to 4. This setting can be overridden as follows:
iq-for-vscode:
pnpm:
listDepth: 8Additional Properties
lookupfolders
By default, Sonatype for VS Code only scans the root folder of the workspace. With the lookupfolders property, you can set up custom folders to be analyzed as well.
Subfolders provided in the lookupfolders property must be relative to the root folder and can be input as follows:
iq-for-vscode: lookupFolders: ['subfolder', 'another/sub/folder']
Subfolders can have their own .sonatype-config files. A .sonatype-config file in a subfolder overrides the root folder's configuration.
Using Sonatype for VS Code
Running the Analysis
Component analysis provides detailed information on the components of the projects opened in the workspace of the VS Code.
If “Start Component Analysis On Load” is selected in the extension settings, analysis will run once the workspace has loaded in VS Code.
If it’s not selected, you can start the analysis by clicking the Run Component Analysis button in the Sonatype panel. This action will trigger the analysis against the default application configured in the settings.
Language and Ecosystem Identification
Java
Maven
pom.xml must exist in the project's root folder and an installation of mvn must be present.
Gradle
One of settings.gradle, build.gradle or build.gradle.kts must exist in the project's root folder and an installation of gradle must be present.
The extension relies on the following configurations to build the dependency tree:
runtimeClasspath- if the "Include Development Dependencies" flag is disabled in settings, ortestRuntimeClasspath- if "Include Development Dependencies" is enabled.
Developers can also define custom configurations derived from the standard ones. However, the extension does not currently handle these custom configurations.
Refer to the Java plugin documentation for more details on Java dependency management with Gradle.
Javascript
npm
package.json and package-lock.json must exist in the project's root folder and an installation of npm must be present.
pnpm
package.json and pnpm-lock.yaml must exist in the project's root folder and an installation of pnpm must be present.
Yarn
package.json and yarn.lock must exist in the project's root folder and an installation of yarn must be present.
Go
go.mod and go.sum must exist in the project's root folder and an installation of go must be present.
Python
Poetry
pyproject.tomlandpoetry.lockmust exist in the project's root folder.
pip
requirements.txtmust exist in the project's root folder and an installation ofpip,pip2orpip3must be present.Components must be installed in the virtual environment prior to scanning as only the installed components will be discovered.
If a virtual environment exists in the
venv,.venv, or your project's root directory, it will be automatically detected and used. Alternatively, you can override the default virtual environment location by specifying a custom path in thesonatype-configfile as follows:pip: venvPath: /customVenv
Rust
Cargo
cargo.tomlandcargo.lockmust exist in the project's root folder.
PHP
Composer
composer.lockmust exist in the project's root folder.
C
Conan
conan.lockmust exist in the project's root folder.
Inspecting the Results
Once the analysis is complete, dependencies for each project opened in the workspace will appear in the Component Tree tab under the Sonatype panel.
You can select a component to see its details in a new tab. The Component Versions view will list all versions of this component together with their highest policy violation scores, and the recommended version for the given project.
A version of a dependency with no policy violations and no breaking changes for the same component and its dependencies will be presented as a Golden Version, which means that the migration can be done with minimal effort. Alternate versions might also be available so you can migrate to them in case there is no Golden Version available.
Component Filters
Both the Component Tree view and the Version History view can be filtered by Threat Levels using the filter icon on the menu bar of each view.
 |
Re-Running the Analysis
After required actions are taken, you can run the analysis again by clicking on the ⟳ icon on the menu bar of Component Tree view.
Known Limitations
The extension has support for resolving transitive dependencies and including/excluding development dependencies, with the following exceptions:
A dependency tree cannot be built for Pip; all dependencies are shown in a flat list.
Dependency scope information is not supported for Pip and Go