New Integration to Visual Studio Code - Nexus IQ and OSS Index

December 04, 2019 By Allen Hsieh

5 minute read time

Since I’m a developer, I’m gonna bless you with the tl;dr right here. Jump on over to the VS Code Marketplace and check out the new Nexus IQ integration to VS Code. For those of you that want to understand how we built it, why we built it, and the problems it solves, read on for more information.

Innovation Days at Sonatype

While we have had integrations to IDEs for some time, up until now we only supported Eclipse, IntelliJ, and Visual Studio - IDEs that are used primarily for Java and .Net development. However, many of our customers use VS Code to develop their software and asked if we could provide a VS Code extension to scan for vulnerable components. In order to better meet the needs of our customers and the demands of JavaScript, Python, R, and Go developers, Cameron Townshend, a Sonatype Solutions Consultant, started building a VS Code Extension during one of our innovation days.

At Sonatype, we participate in innovation days every two weeks, where employees take a break from their normal work and dive into projects they are interested in. All this activity culminates with a Hack-o-vation week, where larger teams band together to work on new interests or scale prior innovation day projects.

The Nexus Lifecycle (IQ Server) VS Code Extension was started and spearheaded by Cameron during previous improvement days. The first version of the integration was very popular with over 1,000 downloads, but it only worked with Nexus Lifecycle (IQ Server).

During our recent Hack-o-vation week, a team of developers including Cameron, Adrian Powell (Sonatype developer) and myself (Allen Hsieh) decided to extend the integration to support our free offering, Sonatype OSS Index, so that anyone could start scanning vulnerable open source components and gain insight into the quality of their applications.

VS Code

VS Code by now is something that needs very little introduction. But in case you were thawed from Carbonite recently, Han Solo-style, thanks to a pesky would be Mandalorian - VS Code is an extremely popular code editor created by Microsoft that is the default development platform by many organizations. In fact, Facebook recently announced that they use it as their default platform.

The new Sonatype VS Code extension was created by developers to help other developers (whoa, Inception!) scan their projects for open source vulnerabilities using OSS Index. It will  identify open source policy violations if you are a Nexus Lifecycle customer, and even help if you are not a Nexus Lifecycle customer. It’s dogfooding at its finest, since we have been using it internally and it’s helped us identify a few issues.

Current ecosystems that you can scan against are:

  • npm/yarn
  • Maven
  • RubyGems
  • Go (only supported on Linux and OS/X at the moment)
  • R
  • PyPi

The code for the extension is open source as well, meaning if you want to add an ecosystem, you can join in! We’ve attempted to make this easier for you by generating code to help you get started. We at Sonatype care a ton about open source, come get involved with us, the water is totally warm!

Why a VS Code Extension?

We wanted an entry point for developers so that they could learn more about their application’s dependencies. For example, are you using vulnerable component versions, or using a license that could get you into open source hot water? This new extension improves open source language ecosystems overall by creating greater awareness of the open source libraries developers are using.

We also wanted to expand language coverage and make it accessible to all developers. The new VS Code Extension supports more formats than Java and .Net, such as JavaScript via npm/yarn, Python via pip, Ruby via Bundler, Golang, and R. By offering a free option with OSS Index by default or the ability to tie into Nexus Lifecycle instances, this extension can be used by anyone.

OSS Index and Nexus Lifecycle (IQ) Support

The default behavior of the extension audits your dependencies against Sonatype’s free OSS Index. Out-of-the-box, you’ll be able to see your dependencies’ known vulnerabilities for the version being used, the CVSS score, and a link to OSS Index for more information. It looks something like this (thanks to Adrian for the awesome animated gif):

ossindex-animated-scan

Even more functionality is unlocked when the VS Code extension is used in conjunction with Nexus Lifecycle. After configuring the extension by entering your Nexus Lifecycle password or user token, you’ll gain the ability to

  • View the known policy violations for all versions of a dependency within the extension, to easily determine which version is okay to use, given your organization's risk tolerance.
  • Get fine grained details on what caused the policy violation, such as vulnerabilities, license violations, age, quality, etc.
  • View information on security issues via the Security Tab, whether a violation of your policy or not, with information on how to remediate the vulnerabilities from Nexus Intelligence.
  • View additional licensing information in the License tab.

iq-animated-scan

As with any tool, there’s a lot of information that I haven’t covered, but you can get intimately familiar with how it works by reviewing the extension’s README file.

Also, please NOTE: This is a community contribution, therefore there is no official support from Sonatype -- however if you have any suggestions or ideas, feel free to get involved and contribute directly here!

Thanks for reading! I hope you get some utility out of this extension, and pop on in to the repository if you’d like to get involved. Open source makes the world better, and we love working with you all!

Tags: Nexus Lifecycle, integration, Nexus IQ, integrations, Product, Community Product, VS Code

Written by Allen Hsieh

Allen Hsieh is a developer on the Developer Experience team at Sonatype. We're building more and better tools for the Open Source community-at-large and developers of all stripes, enabling them to choose the best open source library they can. On his free time, Allen is often thinking about the nuances of modern web frameworks and apparently, sandwiches.