Repository Management with Nexus

5.8. Viewing Component Security and License Information

One of the added features of Nexus Professional is the usage of data from Sonatype CLM. This data contains security and license information about artifacts and is accessible for a whole repository in the Repository Health Check feature described in Chapter 12, Repository Health Check. Details about the vulnerability and security issue ratings and others can be found there as well.

The Component Info tab displays the security and licence information available for a specific artifact. It is available in browsing or search results, once a you have selected an artifact in the search results list or repository tree view. An example search for Jetty, with the Component Info tab visible, is displayed in Figure 5.12, “Component Info Displaying Security Vulnerabilities for an Old Version of Jetty”. It displays the results from the License Analysis and any found Security Issues.

The License Analysis reveals a medium threat triggered by the fact that Non-Standard license headers were found in the source code as visible in the Observed License(s) in Source column. The license found in the pom.xml file associated to the project only documented Apache-2.0 or EPL-1.0 as the Declared License(s).

figs/web/component-info-tab-jetty.png

Figure 5.12. Component Info Displaying Security Vulnerabilities for an Old Version of Jetty


The Security Issues section displays two issues with Threat Level values 5. The Summary column contains a small summary description of the security issue. The Problem Code column contains the codes, which link to the respective entries in the Common Vulnerabilities and Exposures CVE list as well as the Open Source Vulnerability DataBase OSVDB displayed in Figure 5.13, “Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue” and Figure 5.14, “Open Source Vulnerability DataBase OSVDB Entry for a Jetty Security Issue”.

figs/web/component-info-cve-jetty.png

Figure 5.13. Common Vulnerabilities and Exposures CVE Entry for a Jetty Security Issue


figs/web/component-info-osvdb-jetty.png

Figure 5.14. Open Source Vulnerability DataBase OSVDB Entry for a Jetty Security Issue