5.8. Viewing Component Security and License Information

Available in Nexus Repository Manager only

One of the added features of Nexus Repository Manager is the usage of the curated and up to date information from the Sonatype Data Services. This data contains security and license information about components and is accessible for a whole repository in the Repository Health Check feature described in Chapter 12, Repository Health Check. Details about the vulnerability and security issue ratings and others can be found there as well.

The Component Info tab displays the security and licence information available for a specific component. It is available in browsing or search results, once a you have selected a component in the search results list or repository tree view. An example search for Jetty, with the Component Info tab visible, is displayed in Figure 5.12, “Component Info Displaying Security Vulnerabilities for an Old Version of Jetty”. It displays the results from the License Analysis and any found Security Issues.

The License Analysis reveals a medium threat triggered by the fact that Non-Standard license headers were found in the source code as visible in the Observed License(s) in Source column. The license found in the pom.xml file associated to the project only documented Apache-2.0 or EPL-1.0 as the Declared License(s).

The Declared License details the license information found in POM file or other meta data. The Observed Licenses in Source lists all the licenses found in the actual source code of the library in the form of file headers and license files. This data is based on source code scanning performed and provided by the Sonatype Data Services.

figs/web/component-info-tab-jetty.png

Figure 5.12. Component Info Displaying Security Vulnerabilities for an Old Version of Jetty


The Security Issues section displays two issues with Threat Level values 5. The Summary column contains a small summary description of the security issue. The Problem Code column contains the codes, which link to the respective entries in the Common Vulnerabilities and Exposures CVE list displayed in Figure 5.13, “Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue”.

figs/web/component-info-cve-jetty.png

Figure 5.13. Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue


Understanding the Difference, Nexus Repository Manager and Nexus IQ Server integration. In this section, we’ve talked about the various ways component data is being used, at least at an introductory level. However, understanding the differences between the Sonatype Data Services usage in Nexus Repository Manager and Nexus IQ Server may still be a little unclear. Rather you are likely asking, "What do I get with an integration of Nexus Repository Manager and Nexus IQ Server?

Policy Management
Your organization likely has a process for determining which components can be included in your applications. This could be as simple as limiting the age of the component, or more complex, like prohibiting components with a certain type of licenses or security issue.

Whatever the case, the process is supported by rules. Nexus IQ Server Policy management is a way to create those rules, and then track and evaluate your application. Any time a rule is broken, that’s considered a policy violation. Violations can then warn, or even prevent a release.

Here’s an example of the Nexus IQ Server features for Staging.

figs/web/clm-staging-repository-failure.png

Figure 5.14. Staging Repository Activity with a Nexus IQ Server Evaluation Failure and Details


Component Information Panel

The Component Information Panel, or CIP, provides everything you need to know about a component. Looking at the image below, you’ll notice two sections. On the left, details about the specific component are provided. On the right, the graph provides a wide variety of information including popularity, license, or security issues. You can even click on each individual version in the graph, which will then display on the left.

figs/web/nexus-clm-comp-info-cip.png

Figure 5.15. Component Information Panel Example


[Note]

The CIP is then expanded with the View Details button which shows exactly what security or license issues were encountered, as well as any policy violations.

Audit and Quarantine
The Audit and Quarantine features use Nexus IQ policy management to protect your development environment from serving risky, unwanted components. You can enable these features to identify, prevent, and release such components that may compromise a proxy repository.

See our Nexus IQ Server documentation to learn about releasing components from quarantine and other features.