Documentation Nexus IQ Server 1.28

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

14.2. Integrating Nexus Repository Manager 3.x and IQ Server

[Tip]

The features discussed in this section require IQ Server and Nexus Repository Manager Pro with the Repository license plus either the Firewall or Lifecycle license.

14.2.1. Connecting to IQ Server

The first step to integrating IQ Server features with Nexus Repository Manager 3.x is connecting to IQ Server from Nexus Repository Manager.

To configure the connection to IQ Server:

  1. In Nexus Repository Manager, click the Administration button figs/web/ui-admin-button-icon.png on the main toolbar.
  2. In the Administration main menu, click Server under IQ Server.
  3. Configure the following settings:

    • Click to select Where to use IQ Server to enable IQ Server.
    • Enter the IQ Server URL.
    • Select an Authentication Method:

      • User Authentication: Enter a username and password.
      • PKI Authentication: Delegate authentication to the JVM.

        [Tip]

        It is recommended that you create a unique machine account with desired permissions for connecting IQ Server with Nexus Repository Manager. At a minimum, the account needs Evaluate Individual Components permission at the repositories level to use any available IQ Server features.

    • Optionally, you can configure these properties:

      • Enter a Request Timeout.
      • Enter information in the Properties input field using a key=value definition per line. For example:

        procArch=false
        ipAddresses=true
        operatingSystem=false

        These properties are passed to IQ Server and can, for example, determine what properties are logged as part of a validation. In most use cases you will not need to configure any properties.

  4. Click Verify connection to test if a connection can be established.

If successful, a list the applications from IQ Server is displayed, and Dashboard appears under IQ Server on the Administration main menu.

figs/web/nexus-clm-config-tab-nxrm3.png

Figure 14.15. IQ Server Connection Tab in Nexus Repository Manager 3.x


14.2.2. Viewing Component and Assets Information

In Nexus Repository Manager, the Search feature helps you find assets and components in your repositories. In the search results, you can drill down for more detailed information. For example, after you perform a search, click a component to see its associated assets.

figs/web/nxrm3-search.png

Figure 14.16. Associated Assets in Search Results in Nexus Repository Manager 3.x


Click an asset to access its summary information, attributes, and component intelligence.

[fig-nxrm3-search-details

Figure 14.17. Asset Information in Nexus Repository Manager 3.x


Click Component IQ to get more detailed information.

figs/web/nxrm3-comp-iq.png

Figure 14.18. Viewing Component IQ


Component intelligence is presented in the context of an IQ Server application. Go to the IQ Application list and select one of the applications configured in your IQ Server. The Component Information Panel (CIP) is displayed, which contains the most granular details about a component.

figs/web/nxrm-cip.png

Figure 14.19. Component Information Panel


Component IQ

Component IQ displays the following information about a specific component:

  • Declared License - Any license(s) that has been declared by the author.
  • Observed License - Any license(s) found during the scan of the component’s source code.
  • Effective License - Either all licenses included in the Declared or Observed Group, or the overridden license.
  • Coordinates - The identifying information for a component. For known components, all available coordinate information will be displayed.
  • Highest Policy Threat - The highest threat level policy that has been violated, as well as the total number of violations.
  • Highest Security Threat - The highest threat level security issue and the total number of security issues.
  • Cataloged - The age of the component based on when it was first uploaded to an accessible storage site such as the Central Repository, for example.
  • Match State - How the component was matched (exact, similar, or unknown).
  • Identification Source - Whether a component is identified by Sonatype, or claimed by your own process.
  • Website - If available, an information icon providing a link to the project is displayed.
figs/web/nxrm3-cip-text.png

Figure 14.20. CIP Text


Component IQ also includes a graph, which is laid out like a grid with each vertical column representing a particular version. The selected version is identified by a vertical line. You can move the line horizontally to learn about different versions of a component. The information includes:

  • Popularity - The relative popularity for each version is shown as a bar graph. The taller the bar the more popular the version.
  • License Risk - A display of risk based on license threat group settings from IQ Server.
  • Security Alerts - For each version, the highest security threat will be displayed by color, with the highest shown as red, and no marker indicating no threat.
figs/web/nxrm3-cip-graph.png

Figure 14.21. CIP Graph


For even more granular information about a specific component, click View Details. Any known policy violations, license issues, or security vulnerabilities are displayed on a new tab in your browser.

scale-30

Figure 14.22. View Details


14.2.3. Using Audit and Quarantine

[Tip]

The features discussed in this section require Nexus Repository Manager Pro and IQ Server with the following licenses: Repository and Firewall.

The Audit and Quarantine features provide a way to protect your development environment from risky or undesirable components. These features use IQ Server policy management to identify, and if desired, prevent a proxy repository from serving unwanted components.

Before activating Audit and Quarantine, there are several items you need to complete:

  • Both Nexus Repository Manager 3.x and IQ Server must be running and must have a working connection between the two systems.
  • In Nexus Repository Manager 3.x, you need the following privileges:

    • Add, edit, and delete privileges for capabilities, which allows you to configure, enable, and disable the Audit feature.
    • Read privilege for repositories, which lets you view a results column in Repositories (under Repository in the Administration main menu).

      For information on assigning privileges, see the Privileges section in the Nexus Repository Manager 3.x book.

  • For IQ Server, you must be assigned to a role in the root organization with permissions to view and edit IQ Elements. The built-in roles of Policy Administrator and Owner have these permissions. For more information on assigning roles and permissions, see the Security Administration chapter. To learn more about the root organization, see the Organization and Application Management chapter.
  • Also with regard to IQ Server, you should create a policy in the root organization that defines the rules or criteria to use when evaluating components of a proxy repository. The policy must be at the root organization level in the system hierarchy; policies at other levels are ignored by Audit. To learn more about creating a policy, see the Basic Policy Management chapter.

Once these items are completed, you are ready to configure Audit and Quarantine and view audit results. Each of these actions is described below in more detail.

Configuring Audit and Quarantine

You configure the Audit and Quarantine features by adding them to Nexus Repository Manager 3.x as a capability.

To configure Audit and Quarantine:

  1. In Nexus Repository Manager 3.x, go to the Administration main menu and click Capabilities under System.
  2. Click the Create capability button.
  3. In the Select Capability Type view, click IQ: Audit and Quarantine.
  4. In the Create IQ: Audit and Quarantine view, configure the following settings;

    1. Enable this capability - Make sure the check box is selected to activate the Audit feature. The check box is selected by default.
    2. Repository - Select a specific proxy repository to evaluate, for example, maven-central.
    3. Quarantine - Select the check box to quarantine any components that violate policy whenever you add new components to the selected proxy repository. This setting affects only components that are added to the repository after Quarantine is enabled. When a component is quarantined, the Nexus Repository Manager prevents it from being served from the proxy repository. The check box is deselected by default.
  5. Click Create capability to save the new capability for Audit and Quarantine.

At this point, an audit of the selected repository is automatically started. Nexus Repository Manager contacts IQ Server and evaluates the components within the selected repository against any associated policy.

The results are displayed in Repository Results, which is described in the next section Understanding Repository Results.

[Note]

To successfully quarantine components when the Quarantine feature is enabled, the policy used to evaluate components must be configured to fail when policy violations occur at the proxy stage in the development lifecycle. If the policy is set to warn (rather than fail), the quarantining of components will not occur. For more information about setting policy and the proxy stage, see the Basic Policy Management chapter.

This screenshot needs to be added when next version of nxrm ships:

figs/web/nxrm3-audit-capability.png

Figure 14.23. IQ: Audit and Quarantine Capability in Nexus Repository Manager


Disabling Audit and/or Quarantine

To disable Audit and/or Quarantine:

  1. In Nexus Repository Manager, go to the Administration main menu and click Capabilities under System.
  2. Click the IQ: Audit and Quarantine capability for a specific repository.
  3. To disable Audit, click the Disable button. Note that Quarantine is disabled as well.
  4. To disable Quarantine only, deselect the Enable Quarantine for Repository check box.

    [Caution]

    When Quarantine is disabled, all quarantined components are made available for download from your proxy repository. This remains true, if you re-enable Quarantine. That is, any previously quarantined components are not quarantined again; only new components are evaluated for quarantine when you re-enable the Quarantine feature.

  5. Click Save to save your changes or click Discard to discard them.

Releasing a Component from Quarantine

When a component is quarantined due to a violation, it is not available for download from the proxy repository. You must first resolve the violation(s) that caused the quarantine before releasing the component and making it downloadable. For information on resolving violations from labels, security vulnerabilities, or license issues, see the Application Composition Report chapter. For information on waiving policy violations, see the Waiving Repository Policy Violations section of this chapter. Once the violations are resolved, you can proceed with releasing a component from quarantine.

To release a component from quarantine:

  1. In Nexus Repository Manager 3.x, go to Repositories on the Administration menu, and click the IQ Policy Violations count of an evaluated repository. This opens the Repository Results hosted on IQ Server.
  2. Click the component you want to release from quarantine. This opens the Component Information Panel (CIP).
  3. Click the Policy tab, and then click the Release Quarantine button.
  4. In the confirmation box, click the Release button.
figs/web/unquarantine-repo-nxrm3.png

Figure 14.24. Release Quarantine


[Note]

Once a component is released from quarantine, it cannot be put back into quarantine even if it has subsequent policy violations. If you want to re-quarantine a component, you must delete the component from its repository. The component will be quarantined again if, during an audit, it violates a policy that is set to Fail at the Proxy stage.

Viewing Repository Results

Once the Audit is enabled, whenever you add a component to a proxy repository (or delete one), Nexus Repository Manager contacts IQ Server to evaluate the components within the proxy repository against any associated policy. The IQ Policy Violations are summarized in Nexus Repository Manager, and detailed in IQ Server.

In Nexus Repository Manager 3.x, the results of an audit are summarized in the IQ Policy Violations column of the Repositories view as shown in the figure below. You can access the Repositories view from the Repository sub menu of the Administration menu.

figs/web/firewall-column-nxrm3.png

Figure 14.25. IQ Policy Violations Column in Nexus Repository Manager 3.x


The IQ Policy Violations column includes the following items:

  • A count of components by their highest policy violation level.
  • A count of quarantined components.
  • A link to Repository Results on IQ Server.

The IQ Policy Violations column will also alert you if there are any errors in the audit and quarantine process. If there is an error, for example Nexus Repository Manager cannot communicate with IQ Server, a red exclamation mark will appear to the right of the Repository Results link along with text pertinent to the error that occurred. Additional information will be available in the Nexus Repository Manager logs.

[Note]

If the IQ Policy Violations column displays only Audit Enabled or Quarantine Enabled, then you do not have permission to view audit and quarantine summary results. For more information about this permission, see Granting Privileges to View Audit and Quarantine Summary Results later in this chapter.

If you have permissions to add capabilities in Nexus Repository Manager, you can also access Repository Results from the Capabilities submenu on the Administration menu:

figs/web/firewall-repo-capabilities-submenu.png

Figure 14.26. Nexus Repository Manager 3.x Capabilties Submenu


  1. In the Type list of capabilities, click IQ: Audit and Quarantine for a specific repository.
  2. In the Capabilities / IQ: Audit and Quarantine view, go to the Status section and click View Results.

To learn more about the details displayed in the Repository Results, see Understanding Repository Results in the section below.

Granting Privileges to View Audit and Quarantine Summary Results

In Nexus Repository Manager 3.x, the "nexus:iq-violation-summary:read" privilege allows you to view audit and quarantine summary results in the IQ Violations column of the Repository view. This privilege is assigned to the Nexus admin role by default. If users are assigned to custom roles, this privilege needs to be added to those roles in order for them to view audit and quarantine summary results.

To grant view privileges for audit and quarantine:

  1. In Nexus Repository Manager 3.x, go to Security on the Administration menu and click Roles.
  2. In the Manage Roles view, either create a new role or click to select an existing custom role.
  3. If creating a new role, enter a Role ID, Role name, and Role description.
  4. In the Privileges list, move the following privileges to the Given column:

    • nx-repository-view---read
    • nexus:iq-violation-summary:read
  5. Save the role changes by clicking Create Role or Save.
figs/web/view-audit-quarantine-permission.png

Figure 14.27. Granting Privileges to View Audit and Quarantine Summary Results


For information on assigning privileges, see the Privileges section in the Nexus Repository Manager 3.x book.