Repository Management with Nexus
5.2. Browsing Repositories
One of the most straightforward uses of the Nexus is to browse the structure of a repository. If you click on the Repositories menu item in the Views/Repositories menu, you should see the following display. The top-half of Figure 5.2, “Browsing a Repository Storage” shows you a list of groups and repositories along with the type of the repository and the repository status. To browse the artifacts that are stored in a local Nexus instance, click on the Browse Storage tab for a repository as shown in Figure 5.2, “Browsing a Repository Storage”.
When you are browsing a repository, you can right click on any file and download it directly to your browser. This allows you to retrieve specific artifacts manually, or examine a POM file in the browser. In addition artifacts as well as directories can be deleted using right-click.
When browsing a remote repository you might notice that the tree doesn’t contain all of the artifacts in a repository. When you browse a proxy repository, Nexus is displaying the artifacts which have been cached locally from the remote repository. If you don’t see an artifact you expected to see through Nexus, it only means that Nexus has yet to cache the artifact locally. If you have enabled remote repository index downloads, Nexus will return search results that may include artifacts not yet downloaded from the remote repository. Figure 5.2, “Browsing a Repository Storage”, is just an example, and you may or may not have the example artifact available in your installation of Nexus.
A Nexus proxy repository acts as a local cache for a remote repository, in addition to downloading and caching artifacts locally, Nexus will also download an index of all the artifacts stored in a particular repository. When searching or browsing for artifacts, it is often more useful to search and browse the repository index. To view the repository index, click on the Browse Index tab for a particular repository to load the interface shown in Figure 5.3, “Browsing a Repository Index”.
As shown in Figure 5.3, “Browsing a Repository Index”, if an artifact has been downloaded from a remote repository and cached in Nexus, the artifact or folder will display a small Nexus logo.
Once you located an archive in the repository index or storage the right hand panel will at minimum show the Artifact Information tab as visible in Figure 5.4, “Viewing the Artifact Information”. Besides showing details like the Repository Path, Size, Checksums, location of the artifact and other details you are able to download and delete the artifact with the respective buttons.
If the artifact you are looking at in the browser is a Maven related artifact like a pom file or a jar you will see the Maven Information tab in the right hand panels. As visible in Figure 5.5, “Viewing the Maven Information” the GAV parameters are displayed above an XML snippet identifying the artifact that you can just cut and paste into a Maven pom.xml file.
For binary artifacts like jar files Nexus displays an Archive Browser panel as visible in Figure 5.6, “Using the Archive Browser” that allows you to view the contents of the archive. Clicking on invidiual files in the browser will download them and potentially display them in your browser. This can be useful for quickly checking out the contents of an archive without manually downloading and extracting it.
Nexus Professional provides you with the ability to browse an artifact’s dependencies. Using the artifact metadata found in an artifact’s POM, Nexus will scan a repository or a repository group and attempt to resolve and display an artifact’s dependencies. To view an artifact’s dependencies, browse the repository storage or the repository index, select an artifact (or an artifact’s POM), and then click on the Maven Dependency tab.
On the Maven Dependency tab, you will see the following form elements:
- When resolving an artifact’s dependencies, Nexus will query an existing repository or repository group. In many cases it will make sense to select the same repository group you are referencing in your Maven Settings. If you encounter any problems during the dependency resolution, you need to make sure that you are referencing a repository or a group which contains these dependencies.
- An artifact’s dependencies can be list as either a tree or a list. When dependencies are displayed in a tree, you can inspect direct dependencies and transitive dependencies. This can come in handy if you are assessing an artifact based on the dependencies it is going to pull into your project’s build. When you list dependencies as a list, Nexus is going to perform the same process used by Maven to collapse a tree of dependencies into a list of dependencies using rules to merge and override dependency versions if there are any overlaps or conflicts.
Once you have selected a repository to resolve against and a mode to display an artifact’s dependencies, click on the Resolve button as shown in Figure 5.7, “View an Artifact’s Dependencies”. Clicking on this button will start the process of resolving dependencies, depending on the number of artifacts already cached by Nexus, this process can take anywhere from a few seconds to minute. Once the resolution process is finished, you should see the artifact’s dependencies as shown in Figure 5.7, “View an Artifact’s Dependencies”.
Once you have resolved an artifact’s dependencies, you can use the Filter text input to search for particular artifact dependencies. If you double click on a row in the tree or list of dependencies you can navigate to other artifacts within the Nexus interface.
One of the added features of Nexus Professional is the usage of data from Sonatype Insight. This data contains security and license information about artifacts and is accessible for a whole repository in the Repository Health Check feature described in Chapter 11, Repository Health Check. Details about the vulnerability and security issue ratings and others can be found there as well.
The Insight tab displays the security and licence information available for a specific artifact. It is available in browsing or search results, once a you have selected an artifact in the search results list or repository tree view. An example search for Jetty, with the Insight tab visible, is displayed in Figure 5.8, “Insight Data Displaying Security Vulnerabilities for an Old Version of Jetty”. It displays the results from the License Analysis and any found Security Issues.
The License Analysis reveals a medium threat triggered by the fact that Non-Standard license headers were found in the source code as visible in the Observed License(s) in Source column. The license found in the pom.xml file associated to the project only documented Apache-2.0 or EPL-1.0 as the Declared License(s).
The Security Issues section displays two issues of Threat Level 5. The Summary column contains a small summary description of the security issue. The Problem Code column contains the codes, which link to the respective entries in the Common Vulnerabilities and Exposures CVE list as well as the Open Source Vulnerability DataBase OSVDB displayed in Figure 5.9, “Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue” and Figure 5.10, “Open Source Vulnerability DataBase OSVDB Entry for a Jetty Security Issue”.