Open in app

Sign in

Write

Sign in

Visual Studio Code (VS Code): Easier Vulnerability & Code Smell Detection

A Developer πŸ˜€
5 min readSep 22, 2024

--

https://code.visualstudio.com/
VS Code

As physical things are vulnerable to attacks due to internal and external factors, software is susceptible to attacks due to internal and external factors. Any software product becomes vulnerable due to many reasons, but the most basic ones are

  • External Dependencies
  • Code Smells

In the current software industry, free and open-source culture is becoming more prominent, leading to the fact that each project released in the market depends on external dependencies. These dependencies can have flaws, and entry points vulnerable to cyber attacks hampering the project confidentiality, integrity, and availability to its client. As a result, these dependencies become vulnerabilities, that need proper handling and treatment.

Similarly ill-structured code, not following the best practices and norms opens the gate for cyber attacks. Therefore the code must follow the best practices and industry standards.

At first glance this seems a very tedious task, the answer is NOT AT ALL. Detecting these vulnerabilities and code smells at the development time

  • Reduces processes & development cycle
  • Enhance developer experience
  • Increase code robustness
  • Better Documentation
  • Long Term Support

Synopsys Code Sight Extension for VS Code made this tedious task easy and simple during development time. This extension provides an overview and complete information about the vulnerabilities and code smells.

Synopsys Code Sight Extension

The Synopsys Code Sight extension helps you find and fix security and quality issues in your software while you code. It can quickly identify vulnerabilities in both source code and open source dependencies, and help you fix them right in the IDE. Once the issues have been identified, Code Sight provides detailed remediation guidance and access to training directly in the IDE to help you quickly fix issues today and write better code.

Code Sight uses integrated, lightweight analysis of your code and open-source dependencies without requiring a heavyweight Static Analysis (SAST) or Software Composition Analysis (SCA) tool.

Code Sight can be used as a standalone extension for secure development (free trial available) or included with active subscriptions to other Synopsys Application Security Testing (AST) solutions.

Synopsys Code Sight

Instal Synopsys Code Sight Extension

  • Launch Visual Studio Code
  • In the activity bar at the left of the VS Code window, click the extensions button
  • In the sidebar "Extensions" view, enter Synopsys to locate Synopsys plug-ins
  • Click the Synopsys Code Sight entry to highlight it, then click Install. The VSIX installer will install the extension.
  • In the left-hand sidebar, click the icon with the Synopsys logo to see the code sight controls and begin scanning the code

Configure Synopsys Code Sight

Pre-requisites

  • Assumption of this setup that either trial or enterprise licenses are available for Black-duck and Polaris are available
  • Connect to the black Duck instance using the email, URL, and black duck access token.
Black Duck Authentication
  • The access token can be easily available from the black duck profile page
  • It is advisable to keep these access tokens someplace safe
  • Authenticate the connection by entering the access tokens, created in the previous steps
  • Connect to the Polaris instance using the email, URL, and black duck access token. Similar steps need to be followed as mentioned above.

Installing Scan Engines

  • Install the scan engines for both Black Duck and Polaris. The installers for these scan engines are available under the "Product & Licenses"
  • Once installed, the extension also provides the feature for validating and updating these scans.

Once the instances are authenticated and scan engines are installed, now it's time to scan the code and get the scan results.

Usage Synopsys Code Sight

To perform a local scan of the code base

  • Click the triangular "scan" button beside Code Analysis or Open Source Analysis to perform a local scan of the code base and display detected risks
  • Select any issue from the results list to view more information and recommendations for the fixes
BlackDuck Scan Results
Polaris Scan Results

Frequent Issues

  • Missing Java Runtime: It is possible that Java runtime is not installed on the machine. Download Java runtime based on the underlying operating system
  • Runs & Logs Location: The runs, scan results, and other logs are stored under the user profile on the local machine.
Scan & Runs Location

Conclusion

Regularly update project dependencies and reduce technical debts and code smells. These practices keep the software project shielded from cyber-attacks and other malpractices.

Scanning the code bases regularly locally is a step forward in making code more secure, and robust and the development process smaller and more enjoyable.

Thanks :)

Happy Coding :)

Vscode Extension
Vscode
Security
Vulnerability
Vulnerability Management

--

--

A Developer πŸ˜€
A Developer πŸ˜€

Written by A Developer πŸ˜€

24 Followers
38 Following

Reader | Traveller | Freelancer | Android & Fullstack Developer | Open-Source Enthusiast | Loves Automation

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams