Repository Management with Nexus

12.2. Accessing the Detailed Repository Health Check Report

The detailed report contains the same overview data and charts for security and license information at the top displayed in Figure 12.4, “Summary of the Detailed Repository Health Check Panel” .

figs/web/rhc-detail-summary.png

Figure 12.4. Summary of the Detailed Repository Health Check Panel


Below this overview, as visible in Figure 12.4, “Summary of the Detailed Repository Health Check Panel”, a drop-down for security and license information allows you to toggle between two lists displaying further details. Select to View By: Vulnerabilities to inspect the security issues and View By: Artifacts to review the license information. Both lists have a filter for each column at the bottom of the list that allows you to narrow down the number of rows in the table and find specific entries easily.

The security list as visible in Figure 12.5, “The Security Data in the Detailed Repository Health Check Report” contains columns for Threat Level, Problem Code and the GAV parameters identifying the affected artifact. The Problem Code column is a link to the security warning referenced and commonly links a specific entry in the Open Source Vulnerability Database or the Common Vulnerabilities and Exposures list. Both of these databases have a descriptive text for the vulnerability and further information and reference links.

figs/web/rhc-detail-security-list.png

Figure 12.5. The Security Data in the Detailed Repository Health Check Report


The Threat Level is rated in values used by the vulnerability databases and ranges from 0 for a low threat to 10 for the highest threat. Critical values (noted in red) range from 8 to 10. Severe values (noted in orange) range from 4-7, and Moderate values (noted in yellow) range from 1 to 3.

The license list as visible in Figure 12.6, “The License Data in the Detailed Repository Health Check Report” shows a derived threat in the Effective License Threat column. The Declared License column details the license information found in POM file. The Observed Licenses in Source columns lists all the licenses found in the actual source code of the library in the form of file headers and license files. The next columns for the GAV parameters allow you to identify the artifact. The last column Security Issues displays an indicator for potentially existing security issue for the same artifact.

figs/web/rhc-detail-license-list.png

Figure 12.6. The License Data in the Detailed Repository Health Check Report


Licenses such as GPL-2.0 or GPL-3.0 are classified as the highest License Threat and labeled as Copyleft and use red as signaling color.

A Non Standard or Not Provided license is classified as a moderate threat and uses orange. Non Standard as a classification is triggered by the usage of atypical licenses for open source software such as CharityWare license, BeerWare, NCSA Open Source License and many others. Not Provided is trigged as classification if no license information was found anywhere.

Licenses such as CDDL-1.0, EPL-1.0 or GPL-2.0-CPE receive a Weak Copyleft classification and yellow as notification color.

Liberal licenses that are generally friendly to inclusion in commercial products use blue and include licenses such as Apache-2.0, MIT or BSD.

A general description about the implications of the different licenses is available when hovering over the specific category in the License Analysis Summary. Further information about the different licenses can be obtained from the Open Source Initiative. Mixed license scenarios like a mixture of licenses such as Apache-1.1, Apache-2.0, LGPL and LGPL-2.1 can be complicated to assess in its impact and might be legally invalid depending on the combination of licenses observed. Detailed implications to your business and software are best discussed with your lawyers.

Nexus will report all artifacts in the local storage of the respective repository in the detail panel. This means that at some stage a build running against your Nexus instance required these artifacts and caused Nexus to download them to local storage.

To determine which project and build caused this download to be able to fix the offending dependency by upgrading to a newer version or removing it with an alternative solution with a more suitable license, you will have to investigate all your projects.

Sonatype CLM itself helps with these tasks by enabling monitoring of builds and products, analyzing release artifacts and creating bill of material and other reports.