The Application Composition Report provides the results of an evaluation of your application. The results are broken into three key categories:
Depending on the enforcement point, or the stage options you manually selected, your report may be listed under different stages in the Reporting area of the Nexus IQ Server. For example, the default location for the Nexus IQ CLI, is the build stage. |
No matter how the evaluation was performed, all reports reside on the Nexus IQ Server and are automatically associated with the corresponding application (via the application identifier). However, there are two distinct ways to access the Application Composition Report.
When you log into the Nexus IQ Server the Dashboard is displayed by default. Click the Reports icon . If multiple applications have been scanned, you will see all of them here.
You will need to be a member of at least the developer group for the application you wish to see a report for. |
Users of Nexus Pro+ do not have access to the Dashboard. Because of this, these users will not be taken to the Dashboard after logging in, nor will they see the Dashboard icon. Rather, the reports area will display by default. |
+ Each application has a separate row with columns for:
+ * Application Name * Violations (by stage) * Contact * Organization (for the corresponding application)
+ Each Violation column contains a Violation Summary (total counts for Critical, Severe and Moderate policy violations). In addition, the time the last report was generated (e.g. 2 minutes ago) is provided.
+ To access the Application Composition Report, click the Violation Summary for the corresponding application and stage.
+
+ TIP: By default this view will be sorted alphabetically by the application name. In addition to the filter, you can also click on the application or organization columns to sort alphabetically ascending/descending.
The Application area is the same place where you can manage policy for your application, reviewing policies unique to the application, as well as those inherited from the organization. Located just below the application identifier and organization, you will see three columns:
These represent the stage where the report was generated for/from. For example, if you use the Nexus IQ CLI and don’t specify the stage, it will default to build. When your scan completes and the report is uploaded, it would appear below Build. This is highlighted in Figure 7.14, “Application Area”.
At first glance, you may be surprised at what you see. If you expected an application to have no issues, and now see it has a great deal, don’t get upset… yet.
In many cases, a policy can be too stringent or may indicate issues that are not exactly applicable to your application. For example, you may have a security issue that would only affect applications exposed to the public, while your application is for internal use only. Another great example is a license that constrains your code in the event you intend to sell the application.
With that worry out of the way, let’s take a look at what’s actually in each report.
The Summary tab of the report shows a breakdown of what was found. This includes counts for policy violations, security vulnerabilities and license-related issues.
The Policy tab provides a list of all components that were found in your application. An example is displayed in Figure 7.16, “Policy Tab of an Application Composition Report”. The list of components is ordered by the level of the threat violation that has been assigned to the policy. In instances where a component has violated multiple policies, only the violation with the highest threat is displayed.
To view the other violations you can use the component information panel (described below), or change what is displayed using the Violations filter on the right. This will allow you to see all violations for your component, though that may result in the appearance of duplicated components.
The Security Issues tab displayed in Figure 7.17, “Security Issues Tab of an Application Composition Report” displays all components containing security issues.
The License Analysis tab displayed in Figure 7.18, “License Analysis Tab of an Application Composition Report” displays all components and the determined details about their license(s).
In the Policy and the Security Issues, as well as the 'License Analysis tabs, you can get access to more information about a particular component by clicking on a row in the table representing the component you are interested. The Component Information Panel CIP, with an example displayed in Figure 7.19, “Component Information Panel CIP for a Specific Component” shows more specific information about the component.
Clicking on the Policy header in the component information panel displays all policy violations for the selected component. As you can see from the example displayed in Figure 7.20, “Policy Section for a Specific Component Displayed on the Component Information Panel” the policies as well as the constraints and the condition values that triggered the policy violation are displayed.
A number of specifics used in the tabs and the panel are detailed in the following:
We briefly mentioned above, that policy violations are organized by threat level. The threat level breakdown is as follows.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia