Following the recent announcement of the npm package conventional-changelog having a malicious version uploaded (read more in Brian's blog post), I wanted to write a quick tutorial on how customers using Sonatype's Nexus Lifecycle tool can quickly search for a specific component across all the applications they have previously scanned.
When a bad component like the version of conventional-changelog gets out in the wild, it is important to be able to react quickly and find out which applications might be affected.Nexus Lifecycle contains just the API for this, the Component Search API. I have recorded the video below showing how to use Nexus Lifecycle to find a list of all applications that have this vulnerable component in it.
The search syntax I used in the above video is as follows. I use curl to simplify the request, but feel free to use any method of making http requests.
curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier={"format":"a-name","coordinates":{"name":"conventional-changelog-core","qualifier":"","version":"1.2.0"}}"
To pass the search to the API you must URL encode your component identifier.
curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier=%7B%22format%22%3A%22a-name%22%2C%22coordinates%22%3A%7B%22name%22%3A%22conventional-changelog-core%22%2C%22qualifier%22%3A%22%22%2C%22version%22%3A%221.9.0%22%7D%7D"