IDE Extension
Fluid Attacks
has a powerful extension for the
Visual Studio Code (VScode) editor.
With this extension, you can see reported
vulnerabilities
in the platform by pointing you to the specific
file and line of code where the vulnerability was reported
and redirect you to
criteria documentation.
Remember that depending on the files you have as analysis input,
these are the ones that will reflect this information.
To get started with the extension, we'll guide you through a series of steps to initiate its usage.
Download extension
To download the extension, navigate to the extensions section and search for Fluid Attacks in the search bar.
Configure the editor with Fluid Attacks platform
After Extension Download: Configuring Fluid Attacks platform with your Editor, go to configuration => settings.
In the search bar, type the name of the Fluid Attacks extension. Once you've done that, enter your platform API token. After entering the token, close and reopen your editor to apply the changes and updates.
Once you have the extension and the configuration set up, open VS Code in the project where vulnerability analysis is active, you should see the extension symbol. You'll also notice the files with red dots, indicating that they contain vulnerabilities.
Functions
You can utilize the various functionalities of the extension in two different ways, both of which perform the same actions. One approach is by clicking on the Fluid Attacks icon, and the other is detecting files with vulnerabilities marked by red dots. Within the tool, you'll have access to the following functions:
Pointing out the file and the line of code with vulnerability.
Redirecting that vulnerability to Fluid Attacks platform.
Applying the Temporarily accepted treatment.
Going to criteria.
Request reattack.
Functionalities through the Fluid Attacks icon
File and code line pointing
Upon clicking the Fluid Attacks extension icon, you will be presented with a comprehensive list of vulnerability types detected in your code.
Clicking on any selected vulnerability type will list all the files containing vulnerabilities corresponding to that type.
Selecting any of the files will show you the line of code where the vulnerability is present, underlining it with a red line below.
Temporarily accepted treatment
If you look at where the files are listed on the right side, you will notice two icons, one of which is a calendar. By clicking on this icon, you can apply the "Accept Vulnerability Temporary" treatment to that vulnerability.
Upon applying, you will receive a success message confirming the application of this treatment in your vulnerability. Additionally, you can refresh the view and observe that the underlined vulnerability color changes from red to yellow, indicating that the temporary treatment has been applied.
Request reattack
You can also request a reattack for a vulnerability by clicking on the shield icon.
You will receive a success message for using this action upon applying it. Additionally, you can refresh the view and observe that the underlined vulnerability color changes from red to blue, indicating that the reattack was successfully requested.
Get Custom Fix
You can request a personalized guide to resolve the vulnerability by clicking
on the wrench icon. This guide is AI-generated to assist with the specific
issue you are facing.
The guide is generated when a minimal fragment of the sensitive code is transmitted via a secure API. Consistent with the applicable usage policies, you can be confident that this data will be handled with the utmost care. Your information will not be used, stored, or shared, ensuring the continued confidentiality and integrity of your code.
Note that the initial generation for each vulnerability may take some time. However, to enhance efficiency, this response is cached for future reference. Should the vulnerable commit change, a new guide will be generated. The process leverages the code version stored by Fluid Attacks, not the locally stored code. If there’s any modification in the code, ensure to upload it to the repository and synchronize it from the vulnerability management platform.
Go to criteria and finding
You can navigate to the criteria or directly to the finding on the platform by right-clicking on the vulnerability typology title.
There, you will see these two options. Clicking on "Go to Criteria" will take you to our documentation, and clicking "Go to Finding" will redirect you to our platform.
Finding description
To access the vulnerability description, right-click on the vulnerability and choose the option "See finding description."
Clicking on this will bring up a tab on the right side, showing you the finding description, Attack Vector, Threat, Severity score, and Average remediation time per vulnerability.
Another way to access this functionality is by going to the vulnerability title and right-clicking on it.
There, you will see the description of it.
Refresh button
If you want to verify that the changes you've made have been applied, you can click on the refresh button.
There you can see that the vulnerabilities to which a reattack or temporary treatment has been applied will change the color of their highlighting. A blue line indicates a reattack was requested, while a yellow line indicates a temporary treatment was applied.
Functionalities through the files
File and code line
To visualize the vulnerabilities reported in Fluid Attacks platform from the editor, you have to open the project in which it is active in the vulnerability analysis. You can detect the files since they have red dots or open them directly by file line by clicking on the X symbol.
You will see a list of vulnerabilities where you will be redirected to the file and the vulnerable line of code.
Redirection to Fluid Attacks platform
Once you have the line of code where the vulnerability is reported, put the cursor of your mouse over it, and you will get a pop-up window where it will give you the definition and the redirection link.
Clicking on the link will open Fluid Attacks' platform where this reported vulnerability is located.
Apply Temporarily accepted treatment
You can apply the Accept Vulnerability Temporary treatment by right-clicking on the line of code.
There you put the justification and the date of the treatment application.
Go to criteria
Clicking on criteria will take you to the documentation.
Request a reattack
You can also request a reattack by clicking on this one, where you will put the justification.
See Finding description
Clicking on this option will open a window on the right side, displaying information about the finding such as: description, Attack Vector, Threat, Severity score, and Average remediation time per vulnerability.