WhiteSource Cure automatically generates remediation suggestions and proposed fixes for vulnerabilities identified by detection tools in proprietary code. The remediation suggestions, called “reports”, are displayed on the vulnerable code itself and can be used as-is in your IDE.
Developers can simply review and accept the proposed suggestion. Once accepted, it appears as if the developers wrote the fix themselves.
By utilizing third-party SAST tool results, WhiteSource Cure provides a code fix suggestion that automatically remediates vulnerable code as if the developers fixed such code themselves. Developers just need to review and accept the proposed secure code.
The solution is case-specific, accurate and effortless, thereby saving valuable time and friction that promotes secure coding. This enables customers to dramatically shorten the remediation time of the detected vulnerabilities while training the developers with proper remediation methods.
Modes of Operation
The community edition version supports two modes of operations:
IDE plugin - Remediation suggestions are presented in the IDE for developers to review and accept. See here. NOTE: Currently only JetBrains is supported. Future versions will support additional IDEs.
Web-based application - Displays all remediation suggestions per specific repository. See here.
Supported IDEs: JetBrains IntelliJ IDEA
SAST tools detection formats: Semmle and LGTM.com (SARIF format)
Familiarity with the JetBrains IDE, its interface, and basic functionality
Logging in to Cure
To log in to WhiteSource Cure, clickhere. The WhiteSource Cure login screen is displayed.
Generating Remediation Suggestions
To generate remediation suggestions, do as follows:
In Repository URL, enter the URL of the GitHub repository. NOTE: Only Java projects are supported.
In SARIF File, upload the detection result file (see here) or leave it empty. If left empty, WhiteSource Cure will automatically request a SARIF file from lgtm.com.
Click Fix it!. In the Confirmation popup, ensure that you agree to the terms of service, and click Agree.
The Working on Remediation screen is displayed, with the remediation’s status (this can take a few minutes).
Viewing Remediation Suggestions
After you generated remediation suggestions, the Remediation screen is displayed:
The navigation pane on the left displays the following:
The total number of all remediation suggestions, for example, “46 Remediation Suggestions”
The vulnerabilities grouped by subject, for example, Cross-Site Scripting, Sensitive Cookies, etc., plus the file name and line number in which that vulnerability type appears, for example, CWE 113 - HTTP Response Splitting (4).
The Remediation screen displays suggestions on how to remediate your code. Do as follows:
Ensure that the main screen is open to the Remediation tab.
Drill down to the vulnerability to which you want remediation suggestions, and double-click it. The remediation report is displayed in the Remediation screen, containing the original code plus a suggestion on how to fix the vulnerability.
The fix suggestion can be viewed in side-by-side mode (default) or unified mode. Use the toolbar buttons on the top right to toggle between them.
If you agree with the proposed fix, copy the URL and add it to a ticket. Alternatively, use the IDE plugin.
The Detection screen displays details of the actual “trace”, that is, the flow of the vulnerability and its attack vector as it propagates through the code.
NOTE: The Detection trace presented is taken from the provided SARIF file.
Click Detection. The Detection screen is displayed.
Note the numbers that indicate the trace, as shown in this example:
To help follow the trace, use the toolbar on top, to choose a trace to view (in case multiple traces are available). The numbers indicate which indicates the number of steps in the trace, plus back and forth arrows for navigation inside a specific trace.
The Description screen provides a free-text description of the vulnerability, the manner in which we remediate it, plus important links. Do as follows:
Click Description. The Description screen is displayed.
Use the information described therein as needed.
IDE Plugin Mode
Currently only JetBrains is supported.
The IDE plugin remediation mode displays suggestions in the IDE for developers to review and accept. The plugin can be installed from here or directly from the JetBrains marketplace.
The plugin can be downloaded from JetBrains marketplace. Install it in the IDE (Install plugin from Disk option after clicking double shift). The plugin lists the remediation suggestions and enables developers to review and accept the remediation suggestion via “one-click”.
Once installed, the IDE is ready to be used. Do as follows:
In the IDE, open the project for which you created a remediation suggestion (report).
Click on the “earth” icon located in the plugin’s left pane. The Upload Remediation Report popup is displayed.
Copy the URL of the report you generated in Step 1 and paste it here. After a few seconds, the plugin will display a list of available remediation suggestions:
The plugin contains the following sections per project with remediations:
Vulnerability list - A list of all vulnerabilities found within the scanned code, aggregated by CWE type
Remediation tab - Includes the remediation differences displayed in the IDE. This enables you to do the following:
Browse the proposed changes
Select view options (unified or side-by-side)
Select and view file from Affected Files - The remediation suggestion may affect multiple files (in most cases only one file will require a change). In such cases, you can choose the file to view from the Affected Files dropdown list.
Choose Fix - In case there are multiple suggestions, you can select the one that you prefer from the Fix Options dropdown list
Important - After reviewing and approving the fix, to automatically change the code and save it locally, click Cure.
Description tab - Includes the following:
Descriptions of the weakness and the remediation required
Appendix: Supported CWEs
The following CWEs are supported:
CWE 22 - Path Traversal
CWE 23 - Relative Path Traversal
CWE 36 - Absolute Path Traversal
CWE 78 - OS Command Injection
CWE 79 - XSS - Cross Site Scripting
CWE 80 - Basic XSS - Improper Neutralization of Script-Related HTML Tags in a Web Page
CWE 81 - Improper Neutralization of Script in an Error Message Web Page
CWE 83 - Improper Neutralization of Script in Attributes in a Web Page
CWE 84 - Improper Neutralization of Encoded URI Schemes in a Web Page
CWE 85 - Doubled Character XSS Manipulations
CWE 86 - Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE 87 - Improper Neutralization of Alternate XSS Syntax
CWE 89 - SQL Injection
CWE 90 - LDAP Injection
CWE 93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE 113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE 117: Improper Output Neutralization for Logs
CWE 564 - SQL Injection - Hibernate
CWE 614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE 643 - Xpath Injection
CWE 611 - XXE - External XML Parsing
CWE 692 - Incomplete Denylist to Cross-Site Scripting
CWE 776 - XML Entity Expansion
CWE 827 - Improper Control of Document Type Definition