Automated Nexus Reports on Licenses, Security, and More

August 05, 2015 By Derek Weeks

4 minute read time

You have been using Nexus repository managers for years, but did you know they offer a free reporting feature that details your component licenses, known security vulnerabilities, versions, age, and adoption rates?

Your Nexus repository manager can be the first line of defense against security vulnerabilities and the perfect platform to assess your exposure to open source licenses. With the Repository Health Check feature, your repository becomes more than just a place to file binary artifacts, it becomes a tool you can use to implement security policy and govern which open source licenses are used in your projects.

Did you know that Nexus user community runs over 15,000 health check reports every day? In fact, last year, we helped our user community analyze over 3 million components.

Nexus is in the perfect position to be your OSS “sentry”: keeping watch over insecure artifacts as they are downloaded from remote repositories. Your builds and your developers request open source artifacts from Nexus all the time, and Nexus relays those requests to remote repositories downloading the open source artifacts your teams have come to depend on. While your company builds software and completes CI builds, your Nexus instance is assembling a local cache of all the artifacts used in your applications. You can scan this local proxy cache for problematic components with Repository Health Check.

Repository Health Check is supported by Sonatype data services

Repository Health Check connects your Nexus instance to Sonatype's data services (SDS) - a service from Sonatype providing software supply chain intelligence that lets you to manage and monitor license, quality, and security data about the artifacts used in your software development lifecycle. For example, if there’s a critical security bug in a Tomcat library used in your application, the Repository Health Check report can tell you if this library has made it into your Nexus instance. If you are inadvertently relying on software with an AGPL dependency, Nexus can alert you to unacceptable licensing obligations.

Screen Shot 2015-08-05 at 2.02.42 PM

In Nexus repository managers, note the Quality column in the Nexus repository view, each repository eligible for a repository health check has a green “Analyze” button. Clicking on this button will schedule a health check with the SDS. This green button will change to a blue button signaling that a health check is in progress.

When you submit a repository to SDS for a repository health check your data is secure. We’re not transferring any binary artifacts to SDS, and no identifying information about your artifacts is sent to the service. The only data transmitted to SDS is a set of hashcodes for the artifacts in your repository. Once this data has been submitted, SDS then analyzes these hashcodes against a Sonatyp'es proprietary database of licensing and security vulnerability information returning a report that summarizes your exposure to security risks and various open source licenses.

Repository Health Check Summary

Once this analysis has been completed an analyzed repository will display top-level numbers for security and licenses issues identified in a repository. Clicking on this information will load a Summary report.

Screen Shot 2015-08-05 at 2.06.33 PM
 

Here you see a summary report showing you high-level information about the open source artifacts identified in this repository including summary information security and licensing issues identified in a repository. You see the number of security issues identified as well as a breakdown of issues by severity: Critical, Severe, and Moderate. You will also see a breakdown of open source artifacts grouped by license type: Copyleft, Liberal, and Weak Copyleft.

Nexus Pro: Detailed Repository Health Check Reports

Nexus Pro and Pro+ users can drill-down into the details of this summary report to view individual security issues and license information.

Screen Shot 2015-08-05 at 2.03.13 PM
 

Above is a detailed security report. Each vulnerability is assigned a severity and associated with a groupId, artifactId, and version number. By scanning your own proxy repositories you can identify and address potential security vulnerabilities before they make it into production by upgrading your projects and removing the insecure dependencies.

Screen Shot 2015-08-05 at 2.03.02 PM
 

Above is a detailed licensing report. This report lists the identified license threat color coded for severity. The report also lists the declared licenses alongside a list of licenses observed from a simple scan of the project’s source code. You can use these details to assess your exposure to various open source licenses and start to implement policies for licenses and dependencies integrated into your software projects; automating enforcement and reporting of such policies can be achieved with Nexus Pro+ and Nexus Lifecycle.

To learn more about how to turn on the Nexus Repository Health Check feature in our online documentation. If you are interested in a similar report of licenses and vulnerabilities within your applications, check out Sonatype's free Application Health Check service that helps you create a software bill of materials in less than five minutes.

Tags: nexus pro, Known Vulnerabilities, Software Supply Chain, open source governance, open source policy, Repository Health Check Software Bill of Materials, Nexus Repository, Application Security

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.