ProtectingCode Security Scanner

🛡️ Comprehensive Maven Security Analysis for VS Code

ProtectingCode Security Scanner is a powerful VS Code extension that provides OSS security vulnerability detection for java projects. With support for POM files, JAR files, and Maven .m2 repositories, it offers complete coverage of your dependency landscape.

✨ Key Features

🔍 Multi-Source Vulnerability Detection

• POM File Scanning: Analyze pom.xml files for known security vulnerabilities
• JAR File Analysis: Direct scanning of JAR files with intelligent dependency extraction
• M2 Repository Integration: Scan Maven .m2 repository for custom and private dependencies
• Transitive Dependencies: Always includes comprehensive transitive dependency analysis
• Multi-Database Intelligence: Leverages OSV (Open Source Vulnerabilities) and Maven Central databases

📊 Intelligent Reporting

• Consolidated Vulnerability Display: Shows only the most recent CVE per dependency
• Highest Fix Version Recommendations: Always recommends the highest available secure version
• Enhanced Maven XML Fixes: Provides complete XML snippets for <dependencyManagement> and <dependencies> sections
• Source Tracking: Identifies whether vulnerabilities come from POM, JAR, or M2 repository
• Severity Breakdown: Critical, High, Medium, Low with actionable recommendations
• Multi-File Reports: Analyze entire project structures with cross-file analysis

🚀 Performance & Efficiency

• Smart Caching: Intelligent cache management reduces API calls and scan times
• Parallel Processing: Process multiple files simultaneously for faster scanning
• Batch Operations: Efficient batch processing of dependencies
• Delta Scanning: Only scans new or modified dependencies
• Rate Limit Detection: Automatic handling of API rate limits

📈 Export & Documentation

• CSV Export: Export findings with enhanced Maven fix recommendations

🚀 Installation

From Visual Studio Marketplace

1. Open VS Code
2. Go to Extensions (Ctrl+Shift+X / Cmd+Shift+X)
3. Search for "ProtectingCode Security Scanner"
4. Click Install

From VSIX File

1. Download the .vsix file
2. In VS Code, go to Extensions (Ctrl+Shift+X)
3. Click the "..." (More Actions) button
4. Select "Install from VSIX..."
5. Browse to and select the downloaded .vsix file

📖 Getting Started

Scanning a Single POM File

Method 1: Context Menu

1. Open a pom.xml file
2. Right-click anywhere in the file
3. Select "Scan POM File for Security Vulnerabilities"

Method 2: Command Palette

1. Open a pom.xml file
2. Press Ctrl+Shift+P (Windows/Linux) or Cmd+Shift+P (Mac)
3. Type "Scan POM" and select "Scan POM File for Security Vulnerabilities"

Scanning Options

When scanning, you'll be presented with these options:

• POM only scan (includes transitive dependencies) - ✅ DEFAULT: Comprehensive dependency scanning including all transitive dependencies
• Scan M2 folder for custom dependencies - Analyze Maven .m2 repository for custom/private artifacts
• Force full scan - Bypass cache and perform complete analysis
• Parallel file scanning - Process multiple files simultaneously (folder scans only)
• Advanced options - Configure depth, exclusions, and batch processing

Scanning Folders

Method 1: Context Menu

1. Right-click on any folder in the Explorer
2. Select "Scan Folder for Security Vulnerabilities"

Method 2: Command Palette

1. Press Ctrl+Shift+P or Cmd+Shift+P
2. Type "Scan Folder" and select the command
3. Choose the folder to scan

Folder Scan Features

• JAR-Only Scan: Scan folders containing only JAR files without POM files
• Multi-File Analysis: Analyze all POM files in a folder structure
• Cross-File Insights: Identify common vulnerabilities and version conflicts
• Parallel Processing: Scan multiple files simultaneously for speed

Scanning JAR Files Directly

Scan Individual JAR

1. Right-click on a .jar file in Explorer
2. Select "Scan JAR File for Security Vulnerabilities"

JAR Scanning Features

• Intelligent Coordinate Extraction: Automatically identifies Maven coordinates from JAR structure
• Multiple Detection Methods: Uses pom.properties, MANIFEST.MF, and Maven Central search
• Version Range Support: Resolves version ranges to latest stable versions
• No POM Required: Works with standalone JAR files

🔧 Configuration

Configure M2 Repository Path

For scanning custom dependencies:

1. Press Ctrl+Shift+P or Cmd+Shift+P
2. Type "Configure M2 Repository"
3. The extension will auto-detect your default .m2/repository location
4. Confirm or browse to a different location

Extension Settings

Access via: File > Preferences > Settings > Extensions > ProtectingCode Security Scanner

{
  "pomSecurityScanner.useOSV": true,
  "pomSecurityScanner.includeTransitive": true,
  "pomSecurityScanner.scanCustomDependencies": false,
  "pomSecurityScanner.m2RepositoryPath": "/path/to/.m2/repository",
  "pomSecurityScanner.cacheDuration": 86400000,
  "pomSecurityScanner.maxScanDepth": 10,
  "pomSecurityScanner.excludePatterns": ["node_modules", "target", "build"],
  "pomSecurityScanner.parallelFileScanning": true,
  "pomSecurityScanner.fileProcessingBatchSize": 5
}

🎯 Advanced Features

M2 Repository Scanning

Scan your Maven .m2 repository for custom dependencies:

1. Enable "Scan M2 folder for custom dependencies" in scan options
2. Configure your M2 repository path (auto-detected by default)
3. Extension will scan for:
   • IntellectDesign dependencies
   • Custom company artifacts
   • Private dependencies
   • SNAPSHOT versions

Custom Dependency Detection

The extension automatically detects:

• Company-specific groupIds (e.g., com.intellectdesign)
• Private repositories
• Custom artifacts
• SNAPSHOT versions
• Version ranges

Enhanced Fix Recommendations

Receive complete Maven XML fixes including:

For Direct Dependencies:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.example</groupId>
            <artifactId>vulnerable-lib</artifactId>
            <version>2.0.0</version>
        </dependency>
    </dependencies>
</dependencyManagement>

<dependencies>
    <dependency>
        <groupId>com.example</groupId>
        <artifactId>vulnerable-lib</artifactId>
        <!-- version managed by dependencyManagement -->
    </dependency>
</dependencies>

For Transitive Dependencies:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.example</groupId>
            <artifactId>transitive-lib</artifactId>
            <version>2.0.0</version>
        </dependency>
    </dependencies>
</dependencyManagement>
<!-- This overrides the transitive version automatically -->

📊 Understanding Reports

Vulnerability Information

Each vulnerability shows:

• Dependency Name and Version
• Severity Level: Critical, High, Medium, Low
• CVE ID
• Most Recent CVE: Shows only the latest vulnerability
• Highest Fix Version: Recommends the highest available secure version
• Source: POM, JAR, or M2 Repository
• Transitive Status: Direct or transitive dependency
• Enhanced Fix Recommendations: Complete Maven XML snippets

🛠️ Additional Commands

• Scan POM File for Security Vulnerabilities: Scan current POM file
• Scan Folder for Security Vulnerabilities: Scan entire folder structure
• Scan JAR File for Security Vulnerabilities: Scan individual JAR file
• Configure M2 Repository Path: Set Maven .m2 repository location
• Clear ProtectingCode Security Scanner Cache: Clear cached data

⚡ Performance Tips

1. Enable Parallel Scanning: Process multiple files simultaneously in folder scans
2. Configure Caching: Adjust cache duration based on your needs
3. Use Exclusion Patterns: Exclude unnecessary directories like node_modules, target
4. Optimize Batch Size: Adjust file processing batch size for your system
5. M2 Repository: Place on SSD for faster custom dependency scanning

🐛 Troubleshooting

🔐 Security & Privacy

This extension:

• ✅ Only scans files you explicitly choose
• ✅ Sends only dependency coordinates to vulnerability databases
• ✅ Stores cache locally on your machine
• ✅ Does not collect usage statistics
• ✅ Does not transmit personal information
• ✅ Open source and transparent

Stay Secure, Code Confidently!