Repository Management with Nexus
The following example details how you can analyze security issues of an artifact found in your repository health check and determine a solution with the help of information available in Nexus.
After performing a repository health check as documented in the prior sections of Chapter 12, Repository Health Check, you noticed the artifact with the Group org.springframework, the Artifact spring-beans and Version 2.5.4. Upon further inspection of your software build and the components used, you can confirm that this artifact is indeed part of your shipping software.
Sonatype CLM for CI can help you with the detection of license and security issues during continuous integration builds. Sonatype App Health Check allows you to analyze already assembled application archives.
A GAV search for the artifact in Nexus as documented in
Section 5.10, “Searching for Artifacts” allows you to inspect the Component Info
tab for the artifact displayed in Figure 12.7, “GAV Search Results for
org.springframework:spring-beans and Component Info Tab for Version 2.5.4”.
Figure 12.7. GAV Search Results for
org.springframework:spring-beans and Component Info Tab for Version 2.5.4
For example, after reading the summary and inspecting the entries for the
security issues in the security databases linked in the Problem Code column,
you decide that these issues affect your software and a fix is
required. In order to determine your next steps you search for all
versions of the
spring-beans artifact. As a result you receive the
list of all versions available partially displayed in
Figure 12.8, “Viewing Multiple Versions of org.springframework:spring-beans:x”. The Security column in the search results
list displays the count of two security issues for the version 2.5.4
of the library.
Looking at the Security Issues column in the results allows you to determine that with the upgrade of the library to version 2.5.6.SEC02 the count of security issues drops to zero. The same applies to version 2.5.6.SEC03, which appears to be the latest version of the 2.x version of the artifact. In addition, the table shows that early versions of the 3.x releases were affected by security issues as well.
With these results, you decide that an immediate update to version 2.5.6.SEC03 will be required as your next step. In the longer term an update to a newer version of the 3.x or even 4.x releases will follow.
The necessary steps to upgrade depend on your usage of the spring-beans library. A direct usage of the library will allow you to upgrade it directly. In most cases, this will require an upgrade of other SpringFramework libraries. If you are indirectly using spring-beans as a transitive dependency, you will need to figure out how to upgrade either the dependency causing the inclusion or override the version used.
The necessary steps will depend on the build system used, but in all cases you now have the information at your hands detailing why you should upgrade and what to what version to upgrade to. This allows you to carry out your component lifecycle management effectively. Sonatype CLM offers tools for these migration efforts as well as various ways to monitor your development for security, license, and other issues.