PT Application Inspector

Overview

The PT Application Inspector plugin finds vulnerabilities and undocumented features in application source code. In addition to code analysis, built-in modules detect errors in configuration files and vulnerabilities in third-party components and libraries used in application development. The plugin supports the following languages: C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, SQL, Solidity, TypeScript, Scala, C/C++, Objective-C, and Swift.
Note. Scanning of C/C++ and Objective-C projects is not currently supported in macOS.

How it works

Enabling and disabling the plugin

You can enable or disable the plugin in an open project by clicking the icon in the bottom right toolbar. If it is not the first time you are opening the project, the plugin is enabled automatically (scan and action history is saved). You can also set up the plugin to be automatically enabled when a new project is opened.

When the plugin is enabled, the .ai folder is created in the project. This folder contains a database, log files, and a configuration file. For Git to ignore the .ai folder, create an empty file .gitignore in the project folder.

Installing the code analyzer

For the plugin to operate correctly, the PT Application Inspector code analyzer is required. You can install it automatically by clicking Download Analyzer in the pop-up notification in the IntelliJ IDEA interface or manually by downloading it from the link in the instructions below.

To manually install the code analyzer:

1. Download the archive with the analyzer using one of the links:

   • For Windows: download

   • For Linux: download

   • For macOS: download

2. In macOS, run the following command to remove the com.apple.quarantine attribute:

   xattr -d com.apple.quarantine <analyzer_file_path.pkg>

   Then run the installation file and follow the instructions.

3. In Windows and Linux, unpack the archive to one of the following locations:

   • In Windows: %LOCALAPPDATA%\Application Inspector Analyzer

   • In Linux: ~/application-inspector-analyzer

Stopping a scan

To stop scanning a project, click Stop Scan in the PT Application Inspector panel or close the scan progress bar in the bottom toolbar.

Some vulnerabilities have additional exploitation conditions displayed on the Additional Conditions tab.

When you scroll through the sections of the diagram, the vulnerability information is automatically pinned until you move on to another vulnerability. If you want to view the information about a certain vulnerability while working on the code, you can pin this vulnerability manually.

Several vulnerabilities can have the same exit point. If these vulnerabilities belong to the same type, they are grouped together and displayed as one problem with different exploitation options. You can view detailed information about such vulnerabilities in the [PT AI] Vulnerability Details panel.

Note. If you confirm one vulnerability from the group, the whole problem will be confirmed automatically. To discard an entire problem, you must discard all the vulnerabilities in the group.

Managing detected vulnerabilities

The PT Application Inspector plugin contains a set of tools for managing detected vulnerabilities. With these tools, you can do the following:

• Filter vulnerabilities by severity, status, and suppression from scan results by clicking the eye button.
• Confirm and discard vulnerabilities by clicking Confirm and Discard in the [PT AI] Vulnerability Details panel.
• Confirm, discard, and suppress vulnerabilities in their context menu in the code editor. There you can also perform group actions on all vulnerabilities in the file. For example, in the context menu of a vulnerability, select Confirm Vulnerability → Fix all 'Vulnerable Code' problems in file.
• Manage the statuses of several vulnerabilities by selecting them in the Detected Vulnerabilities tab and changing the status using the corresponding button.

You can start the assistant from the pop-up notification that appears when the scan is completed or by clicking the Assistant button and choose to go through the whole scenario or only certain steps.

How to get a recommendation:

1. Select a vulnerability on the Detected vulnerabilities tab or by clicking Suggest fix in the code editor context menu.

2. Go to the How to Fix tab.

3. Click Create.

You can apply the suggested fix or generate an alternative option.

Integration with PT AI Enterprise Edition

The PT Application Inspector plugin can be integrated with PT AI Enterprise Edition. The integration allows all team members to work with the source code from different environments, which makes the development process more secure.

To configure the integration:

1. In the main menu of IntelliJ IDEA, click Tools → PT Application Inspector → Connect to PT AI Server.

2. Specify the PT AI Enterprise Server address and click Connect.

3. Send a local project for scanning to PT AI Enterprise Server with or without saving the results on the server.

For more information about the integration, see the PT AI Enterprise Edition User Guide.

Plugin settings

To configure the plugin settings, select File → Settings → Tools → PT Application Inspector.

The plugin configuration page contains the following sections of settings.

General section:

• Analyzer log level. The severity level starting from which the code analyzer events will be logged. The default value is Error.
• Trigger scan. Start scan condition: manually on clicking a start button or automatically when a project file is changed. The default value is Manually.
• Automatically enable for any project. Silent activation of the plugin when opening a project. By default, this setting is disabled.
• Use an additional tool window to view information. Displays the Data Flow,Exploit, and Additional Conditions tabs in the separate panel [PT AI] Vulnerability Details. By default, this setting is enabled.
• Allow telemetry collection. Collection of general scan information to be sent to PT AI Enterprise Edition. By default, this setting is enabled. Here you will find an example of the data that we collect. For more information, see the privacy statement.
• Use all available resources. The use of all available RAM and CPU resources to increase the scanning speed. By default, this setting is disabled.
• Number of scan history results to store. Maximum number of scan results saved in the history. The default value is No limit. If the limit is exceeded, each new scan result deletes the oldest result.
• Number of days to store log files for. The default value is 30.
• Maximum number of stored log files. The default value is 100.

Server settings section:

• Server URL. Address of the connected PT AI Enterprise Server.
• Notify about new scan results from the PT AI server. Display of notifications about receiving new scan results from PT AI Enterprise Server if synchronization with the project is configured. By default, this setting is enabled.
• Automatically update scan results from the PT AI server. Update of scan results received from PT AI Enterprise Server if synchronization with the project is configured. This setting is available if notification of new scan results is enabled.

Assistant section:

• Run the assistant. Activation of the assistant automatically after the first scan or manually by clicking Assistant. The default value is "Automatically after the first scan."
• Show recommendations on the Quick Fix menu. Display of assistant tips. By default, this setting is enabled.
• The number of vulnerabilities to be confirmed or discarded starting from which a notification from the assistant will be displayed. The default value is 5.
• The number of similar vulnerabilities starting from which a notification from the assistant will be displayed. The default value is 5.
• Suggest vulnerability fixes. Show the How to Fix tab with vulnerability fix recommendations. The section contains settings for the YandexGPT network:
  • Model name
  • OAuth token for Yandex Cloud
  • ID of the Yandex Cloud directory for which your account has the ai.languageModels.user role
  • Temperature: a value from 0 to 1, which defines the model response variability (the higher the value, the more unpredictable the query output)
  • Maximum number of tokens in one recommendation (the number of tokens in the same text may vary between models)

Requirements

For the correct operation of the PT Application Inspector plugin, the following technical requirements must be met:

• JetBrains IDE (PhpStorm, IntelliJ IDEA, WebStorm) 2024.1 or later
• 8 GB RAM
• 5 GB of free hard drive space

Supported 64-bit OS:

• Debian 11 Bullseye or later
• Fedora Workstation 38 or later
• OpenSUSE Leap 15.5 or later
• Ubuntu 22.04 LTS or later
• Ubuntu 23.04 or later
• Windows 10
• ALT Linux OS in the test mode

Supported macOS:

• Big Sur 11.5 or later
• Monterey 12.0.0 or later

Support and feedback

If you have any questions about the plugin, follow the links in the Help & Feedback section on the plugin configuration page to get the necessary information, join our community, or report an issue.

Privacy statement

By default, the PT Application Inspector plugin collects anonymous usage data and sends it to our experts so that they can better understand how to improve the product. We do not share the collected information with third parties. We do not collect source code or IP addresses. To stop the data collection, disable the Allow telemetry collection setting.