Repository Management with Nexus

Share

5.8. Viewing Component Security and License Information

One of the added features of Nexus Pro is the usage of the curated and up to date information from the Sonatype data services. This data contains security and license information about components and is accessible for a whole repository in the Repository Health Check feature described in Chapter 12, Repository Health Check. Details about the vulnerability and security issue ratings and others can be found there as well.

The Component Info tab displays the security and licence information available for a specific component. It is available in browsing or search results, once a you have selected a component in the search results list or repository tree view. An example search for Jetty, with the Component Info tab visible, is displayed in Figure 5.12, “Component Info Displaying Security Vulnerabilities for an Old Version of Jetty”. It displays the results from the License Analysis and any found Security Issues.

The License Analysis reveals a medium threat triggered by the fact that Non-Standard license headers were found in the source code as visible in the Observed License(s) in Source column. The license found in the pom.xml file associated to the project only documented Apache-2.0 or EPL-1.0 as the Declared License(s).

The Declared License details the license information found in POM file or other meta data. The Observed Licenses in Source lists all the licenses found in the actual source code of the library in the form of file headers and license files. This data is based on source code scanning performed and provided by the Sonatype data services.

figs/web/component-info-tab-jetty.png

Figure 5.12. Component Info Displaying Security Vulnerabilities for an Old Version of Jetty


The Security Issues section displays two issues with Threat Level values 5. The Summary column contains a small summary description of the security issue. The Problem Code column contains the codes, which link to the respective entries in the Common Vulnerabilities and Exposures CVE list as well as the Open Source Vulnerability DataBase OSVDB displayed in Figure 5.13, “Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue” and Figure 5.14, “Open Source Vulnerability DataBase OSVDB Entry for a Jetty Security Issue”.

figs/web/component-info-cve-jetty.png

Figure 5.13. Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue


figs/web/component-info-osvdb-jetty.png

Figure 5.14. Open Source Vulnerability DataBase OSVDB Entry for a Jetty Security Issue


Understanding the Difference, Nexus Pro+. In this section, we’ve talked about the various ways component data is being used, at least at an introductory level. However, understanding the differences between the Sonatype hosted data services usage in Nexus Pro and Nexus Pro+ may still be a little unclear. Rather you are likely asking, "What do I get with Nexus Pro+?

Great question. Nexus Pro+ you get a Nexus Lifecycle server. This expands Nexus Pro in two key areas.

Policy Management
Your organization likely has a process for determining which components can be included in your applications. This could be as simple as limiting the age of the component, or more complex, like prohibiting components with a certain type of licenses or security issue.

Whatever the case, the process is supported by rules. Nexus Lifecycle Policy management is a way to create those rules, and then track and evaluate your application. Any time a rule is broken, that’s considered a policy violation. Violations can then warn, or even prevent a release.

Here’s an example of the Nexus Lifecycle features for Nexus Staging.

figs/web/clm-staging-repository-failure.png

Figure 5.15. Staging Repository Activity with a Nexus Lifecycle Evaluation Failure and Details


Component Information Panel

The Component Information Panel, or CIP, provides everything you need to know about a component. Looking at the image below, you’ll notice two sections. On the left, details about the specific component are provided. On the right, the graph provides a wide variety of information including popularity, license, or security issues. You can even click on each individual version in the graph, which will then display on the left.

figs/web/nexus-clm-comp-info-cip.png

Figure 5.16. Component Information Panel Example


[Note]

The CIP is then expanded with the View Details button which shows exactly what security or license issues were encountered, as well as any policy violations.

If you would like more information about these features, check out our Nexus Lifecycle and Repository Manager Guide.