IQ for IDEA
Table of Contents
- Installing IQ for IDEA
- Configuring IQ for IDEA
- Using the Component Info View
- Multi Language Projects
- Troubleshooting Load Components
- Migrating to Different Component Versions
- Code Inspections
- Upgrading to IntelliJ IDEA 2020.2 and above
Lifecycle component analysis is supported in the following JetBrains IDEs:
|Development Environment||Java Component Analysis||Node.js Component Analysis||Python Component Analysis|
|IDEA Ultimate + Python plugin|
|IDEA Community + Python Community plugin|
Installing Nexus IQ for IDEA
IQ for IDEA supports installation via a zip file from disk. Installation is performed similarly to other plugins, using the Settings/Preferences dialog. Click on Plugins from the left-hand pane to expose the option to install the plugin from disk. From there, browse to the plugin zip file and select it.
Remember to restart your IDE before continuing to access the plugin.
Configuring Nexus IQ for IDEA
After the successful installation of IQ for IDEA, the plugin must be configured to connect to IQ Server. The configuration can be accessed via the Settings/Preferences dialog. Expanding Other Settings in the left-hand pane will reveal Nexus IQ. Click on Nexus IQ to set up the plugin for IQ Server.
- Server URL: Enter the URL of your IQ Server
- Authentication Method:
- PKI Authentication: Delegate authentication to the JVM.
User Authentication: Enter the username and password your IQ Server Administrator has assigned you.
You will be prompted for your Master Password (or to set up a Master Password) when saving the Preferences/Settings. This allows IDEA to store your IQ Server password securely.
Once the IQ Server information is provided, click Connect to verify the connection to IQ Server. If it works, select an application from the dropdown. The policies for the application will be used when evaluating your IDE project.
If Connect reports an HTTP error:
- Check your HTTP Proxy Server configuration. If the IQ Server URL is for an internal hostname, the IQ server host may need to be added to the No proxy for the list of patterns.
- Verify IQ Server request.log shows that your Connect requests have actually reached IQ Server. If they have, the IQ Server clm-server.log may contain more information.
Using the Component Info View
The IQ for IDEA tool window can be accessed by clicking the Nexus IQ tab on the bottom tool strip of IDEA. If not accessible from there, it should also be available in View under Tool Windows.
By default, all project dependencies are included in the component list. Scope filters can be applied to adjust which components are visible.
The following scopes are available:
- for Java components: Compile, Test, Runtime, and Provided;
- for Python components: All (the IDE does not provide enough information to distinguish between production and development packages).
Right-clicking on any component will bring up a menu of actions. All components allow for the following actions: View Details and Find Usages. Maven-based Java components show an extra action: Open Maven POM.
- View Details will open the details screen providing more context to the component.
- Find Usages will bring up a list of every module the component is used in. Clicking on a module will bring up the location where the component is declared, which is either a Maven POM file or a package.json file.
- Open Maven POM will open the Maven POM of the component selected.
Many Python components come in several flavors. The same component, identified by name and version, can be built and packaged in several ways, having different sets of attributes and file extensions, and targeting different platforms. For instance, the same package can be found as a
TGZ file for Linux and as a
ZIP file for Windows. The content of those component flavors is sometimes different, so they could be exposed to different vulnerabilities. For that reason, the IQ for IDEA plugin will display all known flavors of a Python component in a separate side panel, so developers could check each of them individually.
Multi Language Projects
The Nexus IQ plugin for IntelliJ IDEA can detect and analyze components written in different programming languages, within a single project. The project should be organized to follow the JetBrains recommended project structure.
IntelliJ IDEA project structure consists of projects and modules. A project can contain source code, tests, libraries in use, build instructions, and configuration files. It may contain one or more modules. Each module is a collection of project files that serve a single purpose. If no modules are defined for the project, the project itself is considered as a module.
At the time of new module creation, select a language e.g. Java and an optional build system e.g. Maven. IntelliJ IDEA will use this language selection to determine the specific features of the IDE that will be available for this module. This is a 1:1 association and works only for a single language.
Modules of existing projects
When an existing project is imported into IntelliJ IDEA, the IDE detects all the modules it contains and assigns a language to each module. You can modify the module detection and structuring after import by navigating to File > Project Structure.
To maximize the results of Nexus IQ for IDEA component detection in multi-language projects, ensure that each module contains files specific to a single language.
Troubleshooting Load Components
In Maven or Gradle-based projects, when a project is first opened in the IDE, it is possible that it was not imported for the project type (maven or gradle). The symptom for this condition is an empty External Libraries folder in the Project view:
The project (i.e. its manifest files) must be imported to get the list of External Libraries to appear. For Maven projects, locate the root pom.xml file, right-click, then select Maven → Reload project, or Add as Maven Project, depending on your version of IntelliJ IDEA.
NOTE: For Gradle projects locate the
build.gradle file, right-click, then select Reload from disk.
This will convert the project to its proper type which will load the External Libraries:
Now, you can click on the Evaluate Components button and the analyzed components will load in the Nexus IQ Component View. The evaluation results will look something like this:
The Nexus IQ plugin for IntelliJ IDEA will only scan and evaluate the Python packages associated with projects or modules that are configured in IDEA or PyCharm. Packages associated with projects or modules that are not configured in the IDE will not be detected.
To troubleshoot Python projects, check if:
- Python is installed locally on your machine.
- Python uses one of the following virtual environments:
- virtualenv - more details at: https://www.jetbrains.com/help/pycharm/creating-virtual-environment.html;
- Pipenv environment - more details at: https://www.jetbrains.com/help/pycharm/pipenv.html;
- Poetry environment - more details at: https://www.jetbrains.com/help/pycharm/poetry.html.
- Your Python project or module is configured in IDEA/PyCharm. The plugin does not perform manifest based file detection.
Migrating to Different Component Versions
If you determine that a component upgrade is required to avoid a security or license issue or a policy violation, after reviewing your component usage, IQ for IDEA can be used to assist you in the necessary refactoring.
The first step to start the migration is to select a newer version for the component in the visualization chart, or by selecting the recommended version. An example is displayed in the image below:
Once you have selected a different version than the one currently used, the Migrate to Selected button will become active. Pressing the button completes the migration from the current component version to the selected component version, by updating the component version in the relevant manifest files.
After the migration is completed, the component list will be updated and a component scan will be initiated. You should perform a full build, as well as a thorough test, to determine that you can proceed with the new version in your development.
Typically, smaller version changes will have a higher chance of working without any major refactorings, or adaptations, of your codebase and projects, while larger version changes potentially give you more new features or bug fixes.
Your release cycle, customer demands, productions issues, and other influencing factors will determine your version upgrade choices. You might decide on a multi-step approach, where you do a small version upgrade immediately to resolve current issues and then work on the larger upgrade subsequently to get the benefits of using a newer version. Or, you might be okay with doing an upgrade to the latest available version straight away. Potentially, a combination of approaches in different branches of your source code management system is used to figure out the best way of going forward with the upgrade.
IQ for IDEA and other tools of the IQ Server suite can assist you through the process of upgrading, as well as monitoring, the applications after upgrade completion.
Starting with the version 4.3.0 of the plugin, custom code inspections are provided for pom.xml and package.json files. If a component, declared in those files, has critical, severe or moderate policy violations, it gets a code inspection maker attached to it, describing the severity of the violation and providing a link to its corresponding entry in the Component Info view.
Upgrading to IntelliJ IDEA 2020.2 and above
If you are upgrading to IntelliJ IDEA 2020.2.x and above from IntelliJ IDEA 2020.1.x and below, you will need to install the new Nexus IQ IDEA Plugin version 3.x or above. If you had the Nexus IQ IDEA Plugin 2.x installed on IntelliJ IDEA 2020.1.x and below the Nexus IQ IDEA Plugin 2.x plugin will not be automatically updated or installed when you upgrade to IntelliJ IDEA 2020.2.x and above. Instead, you will need to install the Nexus IQ IDEA Plugin 3.x from the JetBrains marketplace (recommended) or from the Sonatype download site.
You might see a message like this when you start the IntelliJ IDEA 2020.2.x upgrade: