IQ for IDEA
IntelliJ IDEA is a full featured IDE used for Java development. IQ for IDEA provides component analysis for both the Community and Ultimate edition of IntelliJ IDEA.
Installing IQ for IDEA
Plugin Download Link - Note the plugin is not available on the IDEA Marketplace
IQ for IDEA supports installation via a zip file from disk. Installation is performed similarly to other plugins, using the Settings/Preferences dialog. Click on Plugins from the left hand pane to expose the option to install plugin from disk. From there, browse to the plugin zip file and select it.
Remember to restart IntelliJ IDEA before continuing to access the plugin.
Configuring IQ for IDEA
After the successful installation of IQ for IDEA, the plugin must be configured to connect to IQ Server. The configuration can be accessed via the Settings/Preferences dialog. Expanding Other Settings in the left hand pane will reveal Nexus IQ. Click on Nexus IQ to set up the plugin for IQ Server.
- Server URL: Enter the url of IQ Server
- Authentication Method:
- PKI Authentication: Delegate authentication to the JVM.
User Authentication: Enter the username and password your IQ Server Administrator has assigned you.
You will be prompted for your Master Password (or to set up a Master Password) when saving the Preferences/Settings. This allows IDEA to store your IQ Server password securely.
Once the IQ Server information is provided, click Connect to verify the connection to IQ Server. Next, select an Application from the dropdown to run policy against.
Using the Component Info View
The IQ for IDEA tool window can be accessed by clicking the Nexus IQ tab on the bottom tool strip of IDEA. If not accessible from there, it should also be available in View under Tool Windows. Once configured and the component analysis is completed a component view will look similar to the example is shown in the image below. The list of components will reflect an analysis of the project’s libraries.
By default, all project libraries are included in the list. Filters can be applied to adjust which libraries are included by scope: Compile, Test, Runtime, and Provided.
Right clicking on any component will bring up a menu of actions. Maven projects should allow for the following: View Details, Find Usages, and Open Maven POM.
- View Details will open the details screen providing more context to the component.
- Find Usages will bring up a list of every module the component is used in. Clicking on a module will bring up the location in the Maven POM where the component is declared.
- Open Maven POM will open the Maven POM of the component selected.
The visualization chart shown below shows a number of properties for different, available versions of the selected component. Older versions are displayed on the left and newer versions on the right. Click on any section in the visualization, and all information for that particular version will be highlighted, with the specific version number at the bottom. In addition, the details for that version of the component will display in the right-hand list of properties. Arrows to the left and right of the visualization allow you to view the full range of available versions.
The properties displayed include:
|Popularity||The relative popularity of a version as compared to all other component versions.|
|Policy Threat||The heatmap marker colors represent the highest policy threat levels for each version across all policy types, with no marker indicating no threat.|
|Security||The heatmap marker colors represent the highest policy threat levels for each version across security violation policies, with no marker indicating no threat.|
|License||The heatmap marker colors represent the highest policy threat levels for each version across licensing policies, with no marker indicating no threat.|
|Quality||The heatmap marker colors represent the highest policy threat levels for each version across quality policies, with no marker indicating no threat.|
|Other||The heatmap marker colors represent the highest policy threat levels for each version across other policies, with no marker indicating no threat.|
You will likely notice a number of colors within the visualization chart. The value for each of these colors is as follows:
- Grey for any versions older than the current version.
- Green for newer, but within the same major version of the component.
- Blue for newer component versions, but with a greater major version than the current component.
For Policy Threat
- Blue - no security or license risk
- Yellow - minor security or license risk
- Orange - medium security or license risk
- Red - severe security or license risk
The details of a specific component and version as displayed in the image below include properties about the component and provide access to further features:
|Group||The Maven groupId the component was published with. In many cases this is equivalent with the reverse domain name of the organization responsible for the deployment or running the project.|
|Artifact||The Maven artifactId of the component acts as a short and ideally descriptive name.|
|Version||The Maven version of the component. A version string ending in -SNAPSHOT signifies a transient, in development version, any other version is a release version.|
|Overridden License||The value of a license override configured in your IQ Server.|
|Declared License||The software license declared by the developer of the project, which in some cases, is identified during research by Sonatype, or directly from the Maven POM file.|
|Observed License||The licenses found by the IQ Server in a source code analysis.|
|Highest Policy Threat||The highest threat level policy that has been violated, as well as the total number of violations.|
|Highest Security Threat||The highest security threat level as well as the number of issues found with the respective level.|
|Patch Available||This is a future feature that will provide details in instances where a patch is available. Patches will be provided and verified by Sonatype.|
|Cataloged||The age of the component in the Central Repository.|
|Identification Source||The catalog in which a component identification match was found. This includes either a match made by Sonatype (e.g. the catalog of the Central Repository), or a match made manually (i.e. through the IQ Server claiming process).|
|Website||If available, an information icon providing a link to the project is displayed.|
|View Details||Press this button to display the details view for the selected component and version. This view will open in a separate tab.|
|Custom Metadata||This is a future feature that will allow you to display all custom metadata tags assigned to the component.|
Provides suggestions for different versions of the selected component which do not suffer from the same policy violations as the current version.
By clicking on the version hyperlink, the recommended version is selected in the version graph, and details are populated in the right-hand list of properties.
Recommended versions are dependant on the availibility of a newer version of the selected component which do not have any IQ policy violations. If such a version does not exist, no recommendations are displayed.