Repository Management with Nexus

12.3. Example: Analyzing a Security Vulnerability

The following example details how you can analyze security issues of an artifact found in your repository health check and determine a solution with the help of information available in Nexus.

After performing a repository health check as documented in the prior sections of Chapter 12, Repository Health Check, you noticed the artifact with the Group org.springframework, the Artifact spring-beans and Version 2.5.4. Upon further inspection of your software build and the components used, you can confirm that this artifact is indeed part of your shipping software.

[Tip]

Sonatype CLM for CI can help you with the detection of license and security issues during continuous integration builds. Sonatype App Health Check allows you to analyze already assembled application archives

A GAV search for the artifact in Nexus as documented in Section 5.10, “Searching for Artifacts” allows you to inspect the Component Info tab for the artifact displayed in Figure 12.7, “GAV Search Results for org.springframework:spring-beans and Component Info Tab for Version 2.5.4”.

figs/web/rhc-spring-component-info.png

Figure 12.7. GAV Search Results for org.springframework:spring-beans and Component Info Tab for Version 2.5.4


After reading the summary and inspecting the entries for the security issues in the security databases linked in the Problem Code column, you decide that these issues affect your software and a fix is required. In order to determine your next steps you search for all versions of the spring-beans artifact. As a result you receive the list of all versions available partially displayed in Figure 12.8, “Viewing Multiple Versions of org.springframework:spring-beans:x”. The Security column in the search results list displays the count of two security issues for the version 2.5.4 of the library.

figs/web/rhc-spring-list.png

Figure 12.8. Viewing Multiple Versions of org.springframework:spring-beans:x


Looking at the Security Issues column in the results, allows you to determine that with the upgrade of the library to version 2.5.6.SEC02 the count of security issues dropped to zero. The same applies to version 2.5.6.SEC03, which appears to be the latest version of the 2.x version of the artifact. In addition the table shows that early versions of the 3.x releases were affected by security issues as well.

With these results, you decide that an immediate update to version 2.5.6.SEC03 will be required as your next step. In the longer term an update to a newer version of the 3.x or even 4.x releases will follow.

The necessary steps to upgrade depend on your usage of the spring-beans library. A direct usage of the library will allow you to upgrade it directly. In most cases this will require an upgrade of other SpringFramework libraries. If you are indirectly using spring-beans as a transitive dependency, you will need to figure out how to upgrade either the dependency causing the inclusion or override the version used.

The necessary steps will depend on the build system used, but in all cases you now have the information at your hands detailing why you should upgrade and what version to upgrade to. This allows you to carry out your component lifecycle management effectively. Sonatype CLM offers tools for these migration efforts as well as various ways to monitor your development for security, license and other issues.