Repository Management with Nexus
The detailed report contains the same overview data and charts for security and license information at the top displayed in Figure 12.3, “Summary of the Detailed Repository Health Check Panel” .
Below this overview a drop down for Security and License information allows you to toggle between two lists displaying further details. Both lists have a filter for each column at the bottom of the list that allows you to narrow down the number of rows in the table and therefore find specific entries easily.
The security list as visible in Figure 12.4, “The Security Data in the Detailed Repository Health Check Report” contains columns for Threat Level, Problem Code and the GAV parameters identifying the affected artifact. The Problem Code column is a link to the security warning referenced and commonly links a specific entry in the Open Source Vulnerability Database or the Common Vulnerabilities and Exposures list. Both of these databases have a descriptive text for the vulnerability and further information and reference links.
The Threat Level is rated in values used by the vulnerability databases and ranges from 0 for a low threat to 10 for the highest threat. Values from 8-10 are classified as Critical and are displayed as red notification, values from 4 to 7 are classified as Severe and use orange and values from 1 to 3 are classified as Moderate and use yellow as notification color.
The license list as visible in Figure 12.5, “The License Data in the Detailed Repository Health Check Report” shows a derived threat in the Effective License Threat column. The Declared License column details the license information found in pom file. The Observed Licenses in Source columns lists all the licences found in the actual source code of the library in the form of file headers and license files. The next columns for the GAV parameters allow you to identify the artifact. The last column Security Issues displays an indicator for potentially existing security issue for the same artifact.
Licences such as GPL-2.0 or GPL-3.0 are classified as the highest License Threat and labelled as Copyleft and use red as signalling color.
Non Standard or Not Provided license are classified as a moderate threat and use orange. Non Standard as a classification is triggered by the usage of atypical licenses for open source software such as CharityWare license, BeerWare, NCSA Open Source License and many others. Not Provided is trigged as classification if no license information was found anywhere.
Licenses such as CDDL-1.0, EPL-1.0 or GPL-2.0-CPE receive a Weak Copyleft classification and yellow as notication color.
Liberal licences that are generally friendly to inclusion in commercial products are using blue and include licences such as Apache-2.0, MIT or BSD.
A general description about the implications of the different licenses is available when hovering over the specific category in the License Analysis Summary. Further information about the different licenses can be obtained from the Open Source Initiative. Mixed license scenarios like a mixture of licenses such as Apache-1.1, Apache-2.0, LGPL and LGPL-2.1 can be complicated to assess in its impact and might be legally invalid depending on the combination of licenses observed. Detailed implications to your business and software are best discussed with your lawyers.
Nexus will report all artifacts in the local storage of the respective repository in the detail panel. This means that at some stage a build running against your Nexus instance required these artifacts and caused Nexus to download them to local storage.
To determine which project and build caused this download to be able to fix the offending dependency by upgrading to a newer version or removing it with an alternative solution with a more suitable license you will have to investigate all your projects.
Sonatype CLM itself helps with these tasks by enabling monitoring of builds and products, analyzing release artifacts and creating bill of material and other reports.