English | Русский

Overview

The PT Application Inspector extension finds vulnerabilities and undocumented features in application source code. It helps developers detect security flaws at the early stages of development. The extension supports the following languages: C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, SQL, Solidity, TypeScript, C/C++, Objective-C, and Swift.

Note: This is a preview version (Alpha). Currently, the core features are implemented: local code scanning, visualization of found vulnerabilities, and status management (triage). More advanced features, including server integration, will appear in future updates.

Features

Key features of the extension include:

• Static Analysis. Scan your solution (.sln) files directly within the Visual Studio IDE.
• Vulnerability Detection. Discover potential security threats in your code.
• Vulnerability Triage. Confirm, reject, or suppress found vulnerabilities.
• Dependency Analysis. Check configuration files and third-party components for known vulnerabilities.
• Results Filtering. Filter found vulnerabilities by severity level, status, and exclusion from scan results.

How It Works

Enabling the Extension

You can enable the plugin for an open Solution. If the solution is opened again, the extension will activate automatically (scan history and actions are preserved).

To enable the extension:

1. Open a solution or project in Visual Studio. The extension will detect it hasn't been activated for this solution and display a notification.
2. Click Enable. The extension will initialize and create a hidden .ai folder in your solution root. This folder stores the local database, logs, and configuration file.

Installing the Code Analyzer

The PT Application Inspector code analyzer is required for the extension to work correctly. You can install it in two ways:

• Automatically — recommended if internet access is available.
• Manually — used when the computer is in a closed circuit or has limited internet access.

Automatic Installation

To install the analyzer:

1. In the popup notification in the lower right corner of the window, click Download Analyzer.
2. If you missed the notification, start the download via the menu: Extensions → PT Application Inspector → Download Analyzer.
3. Wait for the download and installation to complete.

Manual Installation

To install the analyzer:

1. On a computer with internet access, download the analyzer archive.
2. On the target computer, open File Explorer and navigate to:

   %LOCALAPPDATA%\Application Inspector Analyzer
   

   (typically: C:\Users\<UserName>\AppData\Local\Application Inspector Analyzer). If the folder doesn't exist, create it.
3. Extract the contents of the downloaded archive into this folder. Note: After extraction, the AI.PluginsBackend.exe file should be located at %LOCALAPPDATA%\Application Inspector Analyzer\AI.PluginsBackend.exe, not in a subfolder.
4. Restart Visual Studio. Upon startup, the extension will automatically check for the files and be ready for scanning.

Scanning a Project

After enabling the extension and installing the analyzer, the PT Application Inspector tool window opens automatically.

Project scanning is launched using the and buttons.

You can track scan progress on the Output tab. The first scan usually takes longer due to the initial load on the vulnerable components database.

Scanning is performed using default parameters. These parameters can be modified in the .aiproj.json configuration file. To open the .aiproj.json file, click the gear button.

Analyzing Scan Results

The list of found vulnerabilities is displayed in the Error List window. Double-clicking a vulnerability in this list highlights the line with its exit point in the code editor.

Clicking on the highlighted code fragment in the editor opens the Vulnerability Details window with detailed information about the vulnerability.

The Description tab contains a description of the vulnerability, example attack scenarios, remediation recommendations, and links to additional reference information.

The Data Flow tab contains a data flow diagram that shows how each process transforms its input data into output data and how processes interact with each other. Data flow diagrams consist of the following sections:

• Entry Point — the starting point of the control flow.
• Data Entry — the file and line of code with data entry coordinates.
• Data Operation — description of one or more functions modifying potentially dangerous input data. This section may be absent if the input data is not modified.
• Exit Point — the execution line of the potentially vulnerable function. This is the exit point associated with the vulnerability in the source code.
• Best place to fix — the line of code most suitable for fixing the vulnerability. This section is displayed before the data flow.

From any section of the data flow diagram, you can jump to the corresponding location in the code editor.

The Exploit tab contains a test HTTP request (exploit) that allows for exploitation of the vulnerability in a deployed web application.

Some vulnerabilities have additional exploitation requirements, which can be viewed on the Additional Conditions tab.

Working with Found Vulnerabilities

The PT Application Inspector extension includes a set of tools for working with found vulnerabilities. With these tools, you can:

• Confirm and reject vulnerabilities:
  • Using the Approve (checkmark) and Reject (cross) buttons in the Vulnerability Details window.
  • In the vulnerability's context menu in the Error List window.
  • In the Quick Actions context menu (Alt+Enter or Ctrl+.), which is displayed next to the highlighted vulnerability in the code editor.
• Filter vulnerabilities by severity level, status, and exclusion from scan results using the Filter button in the PT Application Inspector tool window.
• Suppress vulnerabilities from scan results. Suppressed vulnerabilities are hidden by default in scan results but can be viewed using filters.

Extension Settings

You can configure the extension parameters in the Tools → Options → PT Application Inspector menu.

The configuration page contains the following settings:

• Analyzer Log Level — the severity level starting from which code analyzer events will be logged. Default is Error.
• Enable extension automatically — automatic activation of the extension when a project is opened. Default is disabled.
• Use all available resources — use all available RAM and CPU resources to increase scanning speed. Default is enabled.
• Maximum number of stored log files — the number of log files stored on the hard drive. Default is 100.
• Number of days to store log files for — the number of days after which log files are automatically deleted. Default is 30.
• Number of scan results — the maximum number of scan results saved in the history. Default is unlimited. If the limit is exceeded, each new scan result removes the oldest one.

Requirements

To ensure the PT Application Inspector extension works correctly, the following technical requirements must be met:

• Microsoft Visual Studio 2022 and above;
• 64-bit version of Windows 10 or Windows 11;
• 8 GB of RAM;
• 5 GB of hard disk space.

Privacy Statement

By default, the PT Application Inspector extension collects anonymous usage data and sends it to our specialists to help them understand how to improve the product. We do not share the collected information with third parties. We do not collect source code or IP addresses.