Documentation Nexus Repository Manager 2.14

12.2. Accessing the Detailed Repository Health Check Report

Available in Nexus Repository Pro only

The detailed report contains the same overview data and charts for security and license information at the top displayed in Figure 12.4, “Summary of the Detailed Repository Health Check Panel” .


Figure 12.4. Summary of the Detailed Repository Health Check Panel

Below this overview, as visible in Figure 12.5, “The Security Data in the Detailed Repository Health Check Report”, a drop-down for security and license information allows you to toggle between two lists displaying further details. Select View By: Vulnerabilities to inspect the security issues and View By: Artifacts to review the license information. Both lists have a filter for each column at the bottom of the list that allows you to narrow down the number of rows in the table and find specific entries easily.

The security list as visible in Figure 12.5, “The Security Data in the Detailed Repository Health Check Report” contains columns for Threat Level, Problem Code and the GAV parameters identifying the affected component. The Problem Code column is a link to the security warning referenced and commonly links a specific entry in the Common Vulnerabilities and Exposures list. This database has descriptive text on vulnerabilities and further information with reference links.


Figure 12.5. The Security Data in the Detailed Repository Health Check Report

The Threat Level is rated in values used by the vulnerability databases and ranges from 0 for a low threat to 10 for the highest threat. Critical values (noted in red) range from 8 to 10. Severe values (noted in orange) range from 4-7, and Moderate values (noted in yellow) range from 1 to 3.

The license list as visible in Figure 12.6, “The License Data in the Detailed Repository Health Check Report” shows a derived threat in the License Threat column. The Declared License column details the license information found in POM file. The Observed Licenses in Source columns lists all the licenses found in the actual source code of the library in the form of file headers and license files. This data is based on source code scanning performed and provided by the Sonatype Data Services. The next columns for the GAV parameters allow you to identify the component. The last column Security Issues displays an indicator for potentially existing security issue for the same component.


Figure 12.6. The License Data in the Detailed Repository Health Check Report

Licenses such as GPL-2.0 or GPL-3.0 are classified as the highest License Threat and labeled as Copyleft and use red as signaling color.

A Non-Standard or Not Provided license is classified as a moderate threat and uses orange. Non-Standard as a classification is triggered by the usage of atypical licenses for open source software such as CharityWare license, BeerWare, NCSA Open Source License and many others. Not Provided is trigged as classification if no license information was found anywhere.

Licenses such as CDDL-1.0, EPL-1.0 or GPL-2.0-CPE receive a Weak Copyleft classification and yellow as notification color.

Liberal licenses that are generally friendly to inclusion in commercial products use blue and include licenses such as Apache-2.0, MIT or BSD.

A general description about the implications of the different licenses is available when hovering over the specific category in the License Analysis Summary. Further information about the different licenses can be obtained from the Open Source Initiative. Mixed license scenarios like a mixture of licenses such as Apache-1.1, Apache-2.0, LGPL and LGPL-2.1 can be complicated to assess in its impact and might be legally invalid depending on the combination of licenses observed. Detailed implications to your business and software are best discussed with your lawyers.

Nexus Repository Manager Pro reports all components in the local storage of the respective repository in the detail panel. This means that at some stage a build running against your repository manager required these components and caused a download of them to local storage.

To determine which project and build caused this download to be able to fix the offending dependency by upgrading to a newer version or removing it with an alternative solution with a more suitable license, you will have to investigate all your projects.