Stay updated on the latest news from
the makers of Nexus
Nexus Lifecycle: Using REST API to identify where newly vulnerable components reside across your application portfolio

Following the recent announcement of the npm package conventional-changelog having a malicious version uploaded (read more in Brian's blog ), I wanted to write a quick tutorial on how customers using Sonatype's Nexus Lifecycle tool can quickly search for a specific component across all the applications they have previously scanned.

When a bad component like the version of conventional-changelog gets out in the wild, it is important to be able to react quickly and find out which applications might be affected.

Nexus Lifecycle contains just the API for this, the Component Search API. I have recorded the video below showing how to use Nexus Lifecycle to find a list of all applications that have this vulnerable component in it.




The search syntax I used in the above video is as follows. I use curl to simplify the request, but feel free to use any method of making http requests.

Plain text:

curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier={"format":"a-name","coordinates":{"name":"conventional-changelog-core","qualifier":"","version":"1.2.0"}}"
  • stageID tells IQ server which previous scans to look for - depending on which environment. To search for scans with production artifacts you would use 'operate'. Other possible values: develop, build, stage-release, release, operate
  • componentIdentifier contains the search term
  • format corresponds to the type of package you're searching for. In this case we're searching for authoritative javascript packages - a-name for short.
  • name in coordinates corresponds to the name of the package we're searching
  • version is the version you want to search for.

URL Encoded:

To pass the search to the API you must URL encode your component identifier.

curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier=%7B%22format%22%3A%22a-name%22%2C%22coordinates%22%3A%7B%22name%22%3A%22conventional-changelog-core%22%2C%22qualifier%22%3A%22%22%2C%22version%22%3A%221.9.0%22%7D%7D"





Recent Posts

Posts by Topic

see all

Get Blog Updates