VS Code extension
Fluid Attacks' has an extension in the
Visual Studio Code (VScode) editor.
With this extension,
you can see reported vulnerabilities in the
platform pointing you to the specific file
and line of code where the vulnerability was
reported and redirect you to
Remember that depending on the files you
have as analysis input,
these are the ones that will reflect this information.
To download the extension, go to the extension section, and type Fluid Attacks in the search bar.
Configure the editor with the ARM
Once you have downloaded the extension, it is necessary to configure it to connect the ARM with your editor. Go to configuration => settings.
In the search bar, enter the name of the Fluid Attacks extension; there, you must enter your ARM API token once you have entered it, close and reopen your editor to update this change.
Once you have the extension and the configuration, you can use this tool. The functions you will find in this tool are:
Pointing out the file and the line of code with vulnerability.
Redirecting that vulnerability to the ARM.
Applying the Temporarily accepted treatment.
Going to criteria.
File and code line pointing
To visualize the vulnerabilities reported in the ARM from the editor, you have to open the project in which it is active in the vulnerability analysis. You can detect the files since they have red dots or open them directly by file line by clicking on the X symbol.
You will see a list of vulnerabilities where you will be redirected to the file and the vulnerable line of code.
Redirection to the ARM platform
Once you have the line of code where the vulnerability is reported, put the cursor of your mouse over it, and you will get a pop-up window where it will give you the definition and the redirection link.
Clicking on the link will open the ARM where this reported vulnerability is located.
Temporarily accepted treatment
You can apply the Accept Vulnerability Temporary treatment by right-clicking on the line of code.
There you put the justification and the date of the treatment application.
Go to criteria
Clicking on criteria will take you to the documentation.
You can also request a reattack by clicking on this one, where you will put the justification.
If some repositories are not detected when downloading the extension, you have to go to the settings section of the Fluid Attacks extension and add the groups that are part of it.
There you will click where it says Edit in settings.json.
It will open a .json file where you can add the groups where those repositories are not activated.