Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Configuring Visual Studio Code to use Dependency Analytics
You can gain access to Red Hat’s Trusted Profile Analyzer service by using the Dependency Analytics extension for Microsoft’s Visual Studio Code (VS Code) editor application. With this extension you get access to the latest open source vulnerability information, and insights about your application’s dependent packages. The Red Hat Dependency Analytics extension uses the following data sources for the most up-to-date vulnerability information available:
- The ONGuard service, integrates the Open Source Vulnerability (OSV) and the National Vulnerability Database (NVD) data sources. When given a set of packages to the ONGuard service, a query to OSV retrieves the associated vulnerability information, and then a query to NVD for public Common Vulnerability and Exposures (CVE) information.
Dependency Analytics supports the following programming languages:
- Maven
- Node
- Python
- Go
Visual Studio Code by default, executes binaries directly in a terminal found in your system’s PATH environment. You can configure Visual Studio Code to look somewhere else to run the necessary binaries. You can configure this by accessing the extension settings. Click the Workspace tab, search for the word executable, and specify the absolute path to the binary file you want to use for Maven, Node, Python, or Go.
The Dependency Analytics extension is an online service maintained by Red Hat. Dependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the results.
Prerequisites
- Install Visual Studio Code on your workstation.
-
For Maven projects, analyzing a
pom.xmlfile, you must have themvnbinary in your system’sPATHenvironment. -
For Node projects, analyzing a
package.jsonfile, you must have thenpmbinary in your system’sPATHenvironment. -
For Go projects, analyzing a
go.modfile, you must have thegobinary in your system’sPATHenvironment. -
For Python projects, analyzing a
requirements.txtfile, you must have thepython3/pip3orpython/pipbinaries in your system’sPATHenvironment. Also, the Python application needs to be in VS Code’s interpreter path.
Procedure
- Open the Visual Studio Code application.
- From the file menu, click View, and click Extensions.
- Search the Marketplace for Red Hat Dependency Analytics.
- Click the Install button to install the extension. Wait for the installation to finish.
To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of the following:
- Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red line under a dependency name, click Quick Fix, and click Detailed Vulnerability Report.
- Open a manifest file, and click the pie chart icon.
- Right click on a manifest file in the Explorer view, and click Red Hat Dependency Analytics Report….
- From the vulnerability pop-up alert message, click Open detailed vulnerability report.
Additional resources
- Red Hat Dependency Analytics Visual Studio marketplace page.
- The GitHub project.
