Nexus Lifecycle: Using REST API to identify where newly vulnerable components reside across your application portfolio

Following the recent announcement of the npm package conventional-changelog having a malicious version uploaded (read more in Brian's blog post), I wanted to write a quick tutorial on how customers using Sonatype's Nexus Lifecycle tool can quickly search for a specific component across all the applications they have previously scanned.

Nexus Lifecycle contains just the API for this, the Component Search API. I have recorded the video below showing how to use Nexus Lifecycle to find a list of all applications that have this vulnerable component in it.

Syntax

The search syntax I used in the above video is as follows. I use curl to simplify the request, but feel free to use any method of making http requests.

Plain text:

curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier={"format":"a-name","coordinates":{"name":"conventional-changelog-core","qualifier":"","version":"1.2.0"}}"

• stageID tells IQ server which previous scans to look for - depending on which environment. To search for scans with production artifacts you would use 'operate'. Other possible values: develop, build, stage-release, release, operate
• componentIdentifier contains the search term
• format corresponds to the type of package you're searching for. In this case we're searching for authoritative javascript packages - a-name for short.
• name in coordinates corresponds to the name of the package we're searching
• version is the version you want to search for.

URL Encoded:

To pass the search to the API you must URL encode your component identifier.

curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier=%7B%22format%22%3A%22a-name%22%2C%22coordinates%22%3A%7B%22name%22%3A%22conventional-changelog-core%22%2C%22qualifier%22%3A%22%22%2C%22version%22%3A%221.9.0%22%7D%7D"