Repository Management with Nexus


5.8. Viewing Component Security and License Information

One of the added features of Nexus Professional is the usage of data from Sonatype CLM. This data contains security and license information about artifacts and is accessible for a whole repository in the Repository Health Check feature described in Chapter 12, Repository Health Check. Details about the vulnerability and security issue ratings and others can be found there as well.

The Component Info tab displays the security and licence information available for a specific artifact. It is available in browsing or search results, once a you have selected an artifact in the search results list or repository tree view. An example search for Jetty, with the Component Info tab visible, is displayed in Figure 5.12, “Component Info Displaying Security Vulnerabilities for an Old Version of Jetty”. It displays the results from the License Analysis and any found Security Issues.

The License Analysis reveals a medium threat triggered by the fact that Non-Standard license headers were found in the source code as visible in the Observed License(s) in Source column. The license found in the pom.xml file associated to the project only documented Apache-2.0 or EPL-1.0 as the Declared License(s).


Figure 5.12. Component Info Displaying Security Vulnerabilities for an Old Version of Jetty

The Security Issues section displays two issues with Threat Level values 5. The Summary column contains a small summary description of the security issue. The Problem Code column contains the codes, which link to the respective entries in the Common Vulnerabilities and Exposures CVE list as well as the Open Source Vulnerability DataBase OSVDB displayed in Figure 5.13, “Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue” and Figure 5.14, “Open Source Vulnerability DataBase OSVDB Entry for a Jetty Security Issue”.


Figure 5.13. Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue


Figure 5.14. Open Source Vulnerability DataBase OSVDB Entry for a Jetty Security Issue

Understanding the Difference, Nexus Professional - CLM Edition. In this section, we’ve talked about the various ways CLM data is being used, at least at an introductory level. However, understanding the differences between the Sonatype CLM usage in Nexus Professional and Nexus Professional CLM may still be a little unclear. Rather you are likely asking, "What do I get with Nexus Professional - Sonatype CLM Edition.

Great question. With Sonatype CLM, Nexus Professional is expanded in the two key areas.

Policy Management
Your organization likely has a process for determining which components can be included in your applications. This could be as simple as limiting the age of the component, or more complex, like prohibiting components with a certain type of licenses or security issue.

Whatever the case, the process is supported by rules. Sonatype CLM Policy management is a way to create those rules, and then track and evaluate your application. Any time a rule is broken, that’s considered a policy violation. Violations can then warn, or even prevent a release.

Here’s an example of the Sonatype CLM features for Nexus Staging.


Figure 5.15. Staging Repository Activity with a CLM Evaluation Failure and Details

Component Information Panel

The Component Information Panel, or CIP, provides everything you need to know about a component. Looking at the image below, you’ll notice two sections. On the left, details about the specific component are provided. On the right, the graph provides a wide variety of information including popularity, license, or security issues. You can even click on each individual version in the graph, which will then display on the left.


Figure 5.16. Component Information Panel Example


The CIP is then expanded with the View Details button which shows exactly what security or license issues were encountered, as well as any policy violations.

If you would like more information about these features, check out our Sonatype CLM Repository Manager Guide.