Since I’m a developer, I’m gonna bless you with the tl;dr right here. Jump on over to the VS Code Marketplace and check out the new Nexus IQ integration to VS Code. For those of you that want to understand how we built it, why we built it, and the problems it solves, read on for more information.Innovation Days at Sonatype
At Sonatype, we participate in innovation days every two weeks, where employees take a break from their normal work and dive into projects they are interested in. All this activity culminates with a Hack-o-vation week, where larger teams band together to work on new interests or scale prior innovation day projects.
The Nexus Lifecycle (IQ Server) VS Code Extension was started and spearheaded by Cameron during previous improvement days. The first version of the integration was very popular with over 1,000 downloads, but it only worked with Nexus Lifecycle (IQ Server).
During our recent Hack-o-vation week, a team of developers including Cameron, Adrian Powell (Sonatype developer) and myself (Allen Hsieh) decided to extend the integration to support our free offering, Sonatype OSS Index, so that anyone could start scanning vulnerable open source components and gain insight into the quality of their applications.
VS Code by now is something that needs very little introduction. But in case you were thawed from Carbonite recently, Han Solo-style, thanks to a pesky would be Mandalorian - VS Code is an extremely popular code editor created by Microsoft that is the default development platform by many organizations. In fact, Facebook recently announced that they use it as their default platform.
The new Sonatype VS Code extension was created by developers to help other developers (whoa, Inception!) scan their projects for open source vulnerabilities using OSS Index. It will identify open source policy violations if you are a Nexus Lifecycle customer, and even help if you are not a Nexus Lifecycle customer. It’s dogfooding at its finest, since we have been using it internally and it’s helped us identify a few issues.
Current ecosystems that you can scan against are:
- Go (only supported on Linux and OS/X at the moment)
The code for the extension is open source as well, meaning if you want to add an ecosystem, you can join in! We’ve attempted to make this easier for you by generating code to help you get started. We at Sonatype care a ton about open source, come get involved with us, the water is totally warm!
Why a VS Code Extension?
We wanted an entry point for developers so that they could learn more about their application’s dependencies. For example, are you using vulnerable component versions, or using a license that could get you into open source hot water? This new extension improves open source language ecosystems overall by creating greater awareness of the open source libraries developers are using.
OSS Index and Nexus Lifecycle (IQ) Support
The default behavior of the extension audits your dependencies against Sonatype’s free OSS Index. Out-of-the-box, you’ll be able to see your dependencies’ known vulnerabilities for the version being used, the CVSS score, and a link to OSS Index for more information. It looks something like this (thanks to Adrian for the awesome animated gif):
Even more functionality is unlocked when the VS Code extension is used in conjunction with Nexus Lifecycle. After configuring the extension by entering your Nexus Lifecycle password or user token, you’ll gain the ability to
- View the known policy violations for all versions of a dependency within the extension, to easily determine which version is okay to use, given your organization's risk tolerance.
- Get fine grained details on what caused the policy violation, such as vulnerabilities, license violations, age, quality, etc.
- View information on security issues via the Security Tab, whether a violation of your policy or not, with information on how to remediate the vulnerabilities from Nexus Intelligence.
- View additional licensing information in the License tab.
As with any tool, there’s a lot of information that I haven’t covered, but you can get intimately familiar with how it works by reviewing the extension’s README file.
Also, please NOTE: This is a community contribution, therefore there is no official support from Sonatype -- however if you have any suggestions or ideas, feel free to get involved and contribute directly here!
Thanks for reading! I hope you get some utility out of this extension, and pop on in to the repository if you’d like to get involved. Open source makes the world better, and we love working with you all!