{"id":28420685,"url":"https://github.com/redhat-developer/intellij-dependency-analytics","last_synced_at":"2025-06-26T17:31:34.409Z","repository":{"id":38082297,"uuid":"190641240","full_name":"redhat-developer/intellij-dependency-analytics","owner":"redhat-developer","description":"IntelliJ Dependency Analytics","archived":false,"fork":false,"pushed_at":"2025-06-22T12:02:31.000Z","size":11926,"stargazers_count":24,"open_issues_count":11,"forks_count":22,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-06-22T12:34:54.125Z","etag":null,"topics":["dependencies","hacktoberfest","java","jetbrains-plugin"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"epl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redhat-developer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-06-06T19:54:01.000Z","updated_at":"2025-06-22T11:56:45.000Z","dependencies_parsed_at":"2023-02-10T04:45:51.546Z","dependency_job_id":"ef68e9d2-5376-4b36-aeb5-657db64057aa","html_url":"https://github.com/redhat-developer/intellij-dependency-analytics","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/redhat-developer/intellij-dependency-analytics","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-developer%2Fintellij-dependency-analytics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-developer%2Fintellij-dependency-analytics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-developer%2Fintellij-dependency-analytics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-developer%2Fintellij-dependency-analytics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redhat-developer","download_url":"https://codeload.github.com/redhat-developer/intellij-dependency-analytics/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redhat-developer%2Fintellij-dependency-analytics/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262113230,"owners_count":23260983,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependencies","hacktoberfest","java","jetbrains-plugin"],"created_at":"2025-06-05T03:49:14.871Z","updated_at":"2025-06-26T17:31:34.394Z","avatar_url":"https://github.com/redhat-developer.png","language":"Java","readme":"# Red Hat Dependency Analytics\n\n[plugin-repo]: https://plugins.jetbrains.com/plugin/12541-dependency-analytics\n\n[plugin-version-svg]: https://img.shields.io/jetbrains/plugin/v/12541-dependency-analytics.svg\n\n[plugin-downloads-svg]: https://img.shields.io/jetbrains/plugin/d/12541-dependency-analytics.svg\n\n![Java CI with Gradle](https://github.com/redhat-developer/intellij-dependency-analytics/workflows/Java%20CI%20with%20Gradle/badge.svg)\n[![JetBrains plugins][plugin-version-svg]][plugin-repo]\n[![JetBrains plugins][plugin-downloads-svg]][plugin-repo]\n\nRed Hat Dependency Analytics (RHDA) plugin gives you awareness to security concerns within your software supply chain\nwhile you build your application.\n\n\u003cbr \u003eDependency Analytics only supports the following project ecosystems:\n- Maven\n- Node\n- Golang\n- Python\n- Gradle\n\n\u003cbr \u003e**NOTE:**\nThe Red Hat Dependency Analytics plugin is an online service hosted and maintained by Red Hat.\nDependency Analytics only accesses your manifest files to analyze your application dependencies before displaying the\nvulnerability report.\n\n##### Table of Contents\n\n- [Red Hat Dependency Analytics](#red-hat-dependency-analytics)\n        - [Table of Contents](#table-of-contents)\n  - [Quick start](#quick-start)\n  - [Configuration](#configuration)\n  - [Features](#features)\n  - [Know more about the Red Hat Dependency Analytics platform](#know-more-about-the-red-hat-dependency-analytics-platform)\n  - [Data and telemetry](#data-and-telemetry)\n  - [Support, feedback \\\u0026 questions](#support-feedback--questions)\n  - [License](#license)\n\n## Quick start\n\n**Prerequisites**\n\n- For Maven projects, analyzing a `pom.xml` file, you must have the `mvn` binary in your IDE's `PATH` environment.\n- For Node projects, analyzing a `package.json` file, you must have one of the corresponding package manager `npm`, `pnpm` or `yarn`, `node` binaries in your IDE's `PATH`\n  environment.\n- For Golang projects, analyzing a `go.mod` file, you must have the `go` binary in your IDE's `PATH` environment.\n- For Python projects, analyzing a `requirements.txt` file, you must have the `python3` and `pip3` binaries in your\n  IDE's `PATH` environment.\n- For Gradle projects, analyzing a `build.gradle` file, you must have the `gradle` binary in your system's `PATH` environment.\n- For base images, analyzing a `Dockerfile`, you must have the [`syft`](https://github.com/anchore/syft?tab=readme-ov-file#installation) and [`skopeo`](https://github.com/containers/skopeo/blob/main/install.md) binaries in your IDE's `PATH` environment.\n\n**Procedure**\n\n1. Install [IntelliJ IDEA](https://www.jetbrains.com/idea/download/) on your workstation.\n2. After the installation finishes, open the IntelliJ IDEA application.\n3. From the menu, click **Settings** , and click **Plugins**.\n4. Search the **Marketplace** for _Red Hat Dependency Analytics_.\n5. Click the **INSTALL** button to install the plugin.\n6. To start scanning your application for security vulnerabilities, and view the vulnerability report, you can do one of\n   the following:\n    - Open a manifest file, hover over a dependency marked by the inline Component Analysis, indicated by the wavy-red\n      line under a dependency, and click **Detailed Vulnerability Report**.\n    - Right click on a manifest file in the **Project** window, and click **Dependency Analytics Report**.\n\n## Configuration\n\nThe Red Hat Dependency Analytics plugin has some configurable parameters that allows you to customize its behavior\naccording to your preferences.\n\n**Procedure**\n\n1. Open the IntelliJ IDEA application.\n2. From the menu, click **Settings** , and click **Tools**.\n3. Click **Red Hat Dependency Analytics**.\n\n   ![Red Hat Dependency Analytics plugin settings](src/main/resources/images/settings.png)\n\n**Configurable parameters**\n\n- **Maven** :\n  \u003cbr \u003eSet the full path of the Maven executable, which allows Exhort to locate and run the `mvn` command to resolve\n  dependencies for Maven projects.\n  \u003cbr \u003ePath of the `JAVA_HOME` directory is required by the `mvn` executable.\n  \u003cbr \u003eIf the paths are not provided, your IDE's `PATH` and `JAVA_HONE` environments will be used to locate the\n  executables.\n\n- **Node** :\n  \u003cbr \u003eSet the full path of the Node executable, which allows Exhort to locate and run one of the corresponding `npm`, `pnpm` or `yarn` command to resolve\n  dependencies for Node projects.\n  \u003cbr \u003ePath of the directory containing the `node` executable is required by one of the corresponding `npm`, `pnpm` or `yarn` executable.\n  \u003cbr \u003eIf the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.\n\n- **Golang** :\n  \u003cbr \u003eSet the full path of the Go executable, which allows Exhort to locate and run the `go` command to resolve\n  dependencies for Go projects.\n  \u003cbr \u003eIf the path is not provided, your IDE's `PATH` environment will be used to locate the executable.\n  \u003cbr \u003eWhen option `Strictly match package version` is selected, the resolved dependency versions will be compared to\n  the versions specified in the manifest file, and users will be alerted if any mismatch is detected.\n\n- **Python** :\n  \u003cbr \u003eSet the full paths of the Python and the package installer for Python executables, which allows Exhort to locate\n  and run the `pip3` commands to resolve dependencies for Python projects.\n  \u003cbr \u003ePython 2 executables `python` and `pip` can be used instead, if the `Use python 2.x` option is selected.\n  \u003cbr \u003eIf the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.\n  \u003cbr \u003eWhen option `Strictly match package version` is selected, the resolved dependency versions will be compared to\n  the versions specified in the manifest file, and users will be alerted if any mismatch is detected.\n  \u003cbr \u003ePython virtual environment can be applied, when selecting the `Use python virtual environment` option.\n  \u003cbr \u003eIf selecting option `Allow alternate package version` while using virtual environment, the dependency versions\n  specified in the manifest file will be ignored, and dependency versions will be resolved dynamically instead (this\n  feature cannot be enabled when `Strictly match package version` is selected).\n\n- **Gradle** :\n  \u003cbr \u003eSet the full path of the Gradle executable, which allows Exhort to locate and run the `gradle` command to resolve\n  dependencies for Gradle projects.\n  \u003cbr \u003eBy not setting a path to the gradle binary, IntelliJ IDEA uses its default path environment to locate the file.\n\n\n- **Image** :\n  \u003cbr \u003eSet the full path of the Syft executable, which allows Exhort to locate and run the `syft` command to\n  generate Software Bill of Materials for the base images.\n  \u003cbr \u003eOptionally, set the full path of the Docker or Podman executable. Syft will attempt to find the images in the\n  Docker or Podman daemon with the executable. Otherwise, Syft will try direct remote registry access.\n  \u003cbr \u003eSet the full path of the Skopeo executable, which allows Exhort to locate and run the `skopeo` command to\n  determine the image digests.\n  \u003cbr \u003eIf the paths are not provided, your IDE's `PATH` environment will be used to locate the executables.\n  \u003cbr \u003eIf a Syft configuration file is used and not at the\n  default [paths](https://github.com/anchore/syft/blob/469b4c13bbc52c43bc5216924b6ffd9d6d47bbd6/README.md#configuration),\n  set the full path to the configuration file in configuration.\n  \u003cbr \u003eIf\n  an [authentication file](https://github.com/containers/skopeo/blob/3eacbe5ae2fe859f872a02bf28c16371fb1de7b8/docs/skopeo-inspect.1.md#options)\n  is applied for `skopeo inspect`, set the full path to the file in configuration.\n  \u003cbr \u003eIf platform is not specified in the `Dockerfile` for multi-platform images the default platform is used, as set in the configuration.\n  Otherwise, set the full path of the Docker or Podman executable, then Exhort will use the executable to find the image platform based on the operating system and architecture of the container runtime.\n\n- **Inline Vulnerability Severity Alerts** :\n  \u003cbr \u003eYou can set the vulnerability severity alert level to `Error` or `Warning` for inline notifications of detected\n  vulnerabilities.\n\n- **Proxy Configuration** :\n  \u003cbr \u003eFrom IntelliJ IDEA Appearance \u0026 Behavior \u003e System Settings \u003e HTTP Proxy, you can configure a proxy for all HTTP requests made by the plugin. This is useful when your environment requires going through a proxy to access external services. For example:`http://proxy.example.com:8080`\n\n## Features\n\n- **Component analysis**\n  \u003cbr \u003eUpon opening a manifest file, such as a `pom.xml`, `package.json`, `go.mod` or `requirements.txt` file, a scan\n  starts the analysis process.\n  The scan provides immediate inline feedback on detected security vulnerabilities for your application's dependencies.\n  Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security\n  concern.\n  The summary has the full package name, version number, the amount of known security vulnerabilities, and the highest\n  severity status of said vulnerabilities.\n\n  ![ Animated screenshot showing the inline reporting feature of Dependency Analytics ](src/main/resources/images/component-analysis.gif)\n\n- **Dockerfile scanning**\n  \u003cbr \u003eUpon opening a Dockerfile, a vulnerability scan starts analyzing the images within the Dockerfile.\n  After the analysis finishes, you can view any recommendations and remediation by clicking the _More actions..._ menu\n  from the highlighted image name.\n  Any recommendations for an alternative image does not replace the current image.\n  By clicking _Switch to..._, you go to Red Hat's Ecosystem Catalog for the recommended image.\n\n  \u003cbr \u003eYou must have the [`syft`](https://github.com/anchore/syft#installation)\n  and [`skopeo`](https://www.redhat.com/en/topics/containers/what-is-skopeo) binaries installed on your workstation to\n  use the Dockerfile scanning feature.\n  You can specify a specific path to these binaries, and others by settings the following parameters as environment\n  variables or system properties:\n\n    * `EXHORT_SYFT_PATH` : Specify the absolute path of `syft` executable.\n    * `EXHORT_SYFT_CONFIG_PATH` : Specify the absolute path to the Syft configuration file.\n    * `EXHORT_SKOPEO_PATH` : Specify the absolute path of `skopeo` executable.\n    * `EXHORT_SKOPEO_CONFIG_PATH` : Specify the absolute path to the authentication file used by the `skopeo inspect`\n      command.\n    * `EXHORT_DOCKER_PATH` : Specify the absolute path of `docker` executable.\n    * `EXHORT_PODMAN_PATH` : Specify the absolute path of `podman` executable.\n    * `EXHORT_IMAGE_PLATFORM` : Specify the platform used for multi-arch images.\n\n  ![ Animated screenshot showing the inline reporting feature of Image Analysis ](src/main/resources/images/image-analysis.gif)\n\n- **Excluding dependencies with `exhortignore`**\n  \u003cbr \u003eYou can exclude a package from analysis by marking the package for exclusion.\n  If you want to ignore vulnerabilities for a dependency in a `pom.xml` file, you must add `exhortignore` as a comment\n  against the dependency, group id, artifact id, or version scopes of that particular dependency in the manifest file.\n  For example:\n  ```xml\n  \u003cdependency\u003e \u003c!--exhortignore--\u003e\n      \u003cgroupId\u003e...\u003c/groupId\u003e\n      \u003cartifactId\u003e...\u003c/artifactId\u003e\n      \u003cversion\u003e...\u003c/version\u003e\n  \u003c/dependency\u003e\n  ```\n\n  If you want to ignore vulnerabilities for a dependency in a `package.json` file, you must add `exhortignore` as a\n  attribute-value pair.\n  For example:\n  ```json\n  {\n      \"name\": \"sample\",\n      \"version\": \"1.0.0\",\n      \"description\": \"\",\n      \"main\": \"index.js\",\n      \"keywords\": [],\n      \"author\": \"\",\n      \"license\": \"ISC\",\n      \"dependencies\": {\n          \"dotenv\": \"^8.2.0\",\n          \"express\": \"^4.17.1\",\n          \"jsonwebtoken\": \"^8.5.1\",\n          \"mongoose\": \"^5.9.18\"\n      },\n      \"exhortignore\": [\n          \"jsonwebtoken\"\n      ]\n  }\n  ```\n\n  If you want to ignore vulnerabilities for a dependency in a `go.mod` file, you must add `exhortignore` as a comment\n  against the dependency in the manifest file.\n  For example:\n  ```text\n  require (\n      golang.org/x/sys v1.6.7 // exhortignore\n  )\n  ```\n\n  If you want to ignore vulnerabilities for a dependency in a `requirements.txt` file, you must add `exhortignore` as a\n  comment against the dependency in the manifest file.\n  For example:\n  ```text\n  requests==2.28.1 # exhortignore\n  ```\n  If you want to ignore vulnerabilities for a dependency in a `build.gradle` file, you must add `exhortignore` as a\n  comment against the dependency in the manifest file.\n  For example:\n  ```text\n  implementation \"log4j:log4j:1.2.17\" // exhortignore\n  implementation group: 'log4j', name: 'log4j', version: '1.2.17' // exhortignore \n  ```\n\n- **Excluding developmental or test dependencies**\n  \u003cbr \u003eRed Hat Dependency Analytics does not analyze dependencies marked as `dev` or `test`, these dependencies are\n  ignored.\n  For example, setting `test` in the `scope` tag within a `pom.xml` file:\n  ```xml\n  \u003cdependency\u003e\n      \u003cgroupId\u003e...\u003c/groupId\u003e\n      \u003cartifactId\u003e...\u003c/artifactId\u003e\n      \u003cversion\u003e...\u003c/version\u003e\n      \u003cscope\u003etest\u003c/scope\u003e\n  \u003c/dependency\u003e\n  ```\n\n  For example, setting `devDependencies` attributte in the `package.json` file:\n  ```json\n  {\n      \"name\": \"sample\",\n      \"version\": \"1.0.0\",\n      \"description\": \"\",\n      \"main\": \"index.js\",\n      \"keywords\": [],\n      \"author\": \"\",\n      \"license\": \"ISC\",\n      \"dependencies\": {\n          \"dotenv\": \"^8.2.0\",\n          \"express\": \"^4.17.1\",\n          \"jsonwebtoken\": \"^8.5.1\",\n          \"mongoose\": \"^5.9.18\"\n      },\n      \"devDependencies\": {\n          \"axios\": \"^0.19.0\"\n      }\n  }\n  ```\n\n  For example, setting `exclude` attribute in the `go.mod` file:\n  ```text\n  exclude golang.org/x/sys v1.6.7\n\n  exclude (\n      golang.org/x/sys v1.6.7\n  )\n  ```\n\n  You can create an alternative file to `requirements.txt`, for example, a `requirements-dev.txt` or\n  a `requirements-test.txt` file where you can add the development or test dependencies there.\n\n- **Red Hat Dependency Analytics report**\n  \u003cbr \u003eThe Red Hat Dependency Analytics report is a temporary HTML file that exist if the **Red Hat Dependency Analytics\n  Report** tab remains open.\n  Closing the tab removes the temporary HTML file.\n\n## Know more about the Red Hat Dependency Analytics platform\n\nThe goal of this project is to significantly enhance a developer's experience by providing helpful vulnerability\ninsights for their applications.\n\n- [GitHub Organization](https://github.com/redhat-developer)\n\n## Data and telemetry\n\nThe Red Hat Dependency Analytics plugin for IntellJ IDEA collects anonymous [usage data](USAGE_DATA.md) and sends it to\nRed Hat servers to help improve our products and services.\nRead our [privacy statement](https://developers.redhat.com/article/tool-data-collection) to learn more.\nThis plugin respects the settings of the `Telemetry by Red Hat` plugin, which you can learn more\nabout [here](https://plugins.jetbrains.com/plugin/16209-telemetry-by-red-hat).\n\n\n## Support, feedback \u0026 questions\n\nThe Red Hat Dependency Analytics plugin for IntelliJ IDEA in current version, supports the following IntelliJ IDEA versions:\n - 2022.1\n - 2022.2\n - 2022.3\n - 2023.1\n - 2023.2\n - 2023.3\n\nThere are two ways you can contact us:\n\n- You can reach out to us at `rhda-support@redhat.com` with any questions, feedback, and general support.\n- You can also file a [GitHub Issue](https://github.com/redhat-developer/intellij-dependency-analytics/issues).\n\n## License\n\nEPL 2.0, See [LICENSE](LICENSE) for more information.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-developer%2Fintellij-dependency-analytics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredhat-developer%2Fintellij-dependency-analytics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredhat-developer%2Fintellij-dependency-analytics/lists"}