Package Checker analyzes dependencies inside the IDE. Does it send data about my dependencies somewhere?
IntelliJ IDEA doesn't connect Checkmarx directly. Instead, we have package and vulnerability data stored on the JetBrains server to where IntelliJ IDEA is connecting to. The connection to the JetBrains server is encrypted.
The server receives hashes of your packages and matches them with those we have at https://package-search.jetbrains.com. This way, we don't analyze your proprietary/private packages, only those we've preliminarily obtained from the available open source repositories. We don't log or process hashes that didn't match the list of hashes we knew before.
We do it anonymously - we don't have a way to find out which packages came from a particular company or user.