This guide can help you get IQ Server up and running for the purpose of trying out its features before installing it in your development environment. It should take approximately 15 minutes to complete using sample policies and applications.
Part 1: Installing IQ Server
tar.gz
or .zip
file.
Part 2: Starting IQ Server
nexus-iq-server-x.xx.x-xx-bundle
.
Run one of the following commands to start IQ Server:
Linux or Mac: ./demo.sh
Windows: demo.bat
Log in using the default Administrator account:
Username: admin Password: admin123
Install the required product license supplied to you by the Sonatype Support team.
.lic
) and click Open.
IQ Server needs access to an external data service to perform evaluations, which may be blocked in your internal environment. For a workaround, see Running IQ Server Behind a HTTP Proxy Server in the IQ Server documentation. |
Part 3: Configuring IQ Server
To see what IQ Server can do, you need three basic things: policies, an organization, and an application. IQ Server uses policies to identify potential issues in an application. In the steps below, you will import the Sonatype Sample Policy set which has multiple policies for triggering violations on security vulnerabilities, licensing issues, architecture issues, and more. You will also create an organization and an application, which will demonstrate the three levels of IQ Server’s system hierarchy: Root Organization, organization, and application. Policies and other configuration items are inherited from the Root Organization on down. This allows for easier policy management especially when you have multiple organizations and applications.
Import sample policies into the Root Organization:
.json
file) from the IQ Server documentation.
.json
file you downloaded, and click Open.
Create an organization in IQ Server:
Create an application in IQ Server:
Part 4: Evaluating Applications
After you install, start, and configure IQ Server, you are ready to evaluate applications. If you need a sample
application, you can download WebGoat (webgoat-container-x.x.x-war-exec.jar
) at
https://github.com/WebGoat/WebGoat/releases.
To evaluate an application:
In the Evaluate a Binary dialog:
Part 5: Reviewing Results
The results of a binary evaluation are displayed in the Application Composition Report, which you can always access by clicking the Reporting icon on the IQ Server toolbar.
The report’s information is divided into four tabs:
For a more thorough explanation of the report, see the Application Composition Report chapter in the Nexus IQ Server Documentation.
Part 6: Investigating & Remediating Violations
In the Application Composition Report, you can drill down to learn specific details about a violation. In every tab (except the Summary tab), you can click an individual component to open the Component Information Panel (CIP). The CIP displays many details, which are divided into different sections or tabs. To get you started using the CIP, take a look at these sections:
This is just a small sample of the component information available in the CIP. For a complete discussion of the CIP, see Component Information Panel in the Nexus IQ Server Documentation.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia