Smarter Policy and Advanced Component Search With Nexus Lifecycle Updates

June 30, 2022 By Chris Good

5 minute read time

In March, we talked about improvements to the Nexus Lifecycle policy tools and waivers. This month we’ve taken another step forward with better policy and waiver controls. This update helps development teams manage open source software components more easily across their projects.

Nexus Lifecycle improves your development pipeline with management tools that enhance quality and speed delivery, all at scale. This release goes beyond Nexus Lifecycle’s advanced reporting to enhanced searching, and makes policies even more flexible within your existing development tools.

Customized policy

Sonatype Nexus helps ensure that teams are only using the safest and most legally compliant software components, but flexibility is key. Different teams inside your organization have different risk profiles that may justify unique policies.

Just about every organization has a diverse set of projects ranging from internal tools that don’t see the light of day, to crucial software exposed to the internet. For mission-critical application teams, smart and effective security notifications are part of the process. If those same notifications and policy enforcement are applied to internally accessed applications in use by small teams, it could unnecessarily delay releases.

You need smarter software that reacts to your team’s needs and requirements.

Policy enforcement override

Nexus Lifecycle now lets you override corporate policy settings when onboarding new projects to adapt policy enforcement to those specific projects. While providing this flexibility, policy waivers provide all necessary tracking to make sure that the right controls are maintained and nothing crucial is missed.

Policy Enforcement Override will enable customers to onboard applications at scale, while continuing to build software. You can choose to inherit some or all of the base controls, including current waivers and license standards (pictured below).

article-new-feat-06-2022-20220629_2

Sonatype’s Policy Override configuration screen

More controls for security waivers

While Nexus Lifecycle automates many features of the development process for better open source security, some decisions are fully human. The best software tools flag issues for developers within their workflow but without making demands. This keeps development teams in the driver’s seat, for example when a problematic software component:

  • Is used within a carefully controlled environment
  • Has no real alternative

With Nexus Lifecycle, security teams can permit developers to make exceptions, or Waivers, to set aside security and license alerts.

article-new-feat-06-2022-20220629

Example violation Waiver

Option to Waive All Versions

Teams can now create waivers not just for a specific release, but all versions. Current customers can access this by selecting All Components from the Add Waiver screen inside Nexus Lifecycle, as below.

article-new-feat-06-2022-20220629_4

Add waiver screen with the new “All Components” option

Waivers can still be issued for a limited time to ensure they are reviewed again, but a waiver can be created without expiration if necessary.

article-new-feat-06-2022-20220629_6

Screenshot of available Waiver timeframes

This helps address vulnerabilities in necessary component software that cannot be remediated. Waive All Versions helps developers by:

  • Reducing distractions for known issues
  • Freeing up energy spent on managing waivers for also-vulnerable versions

More on Nexus Lifecycle Enhanced Policy Waivers

Advanced search enhancements

During the Log4Shell incident, security leaders wanted to quickly identify every instance of the Log4J component, including safe versions. To address this need, Nexus Lifecycle’s search tool now finds all components in your development lifecycle, not just those marked with a vulnerable status.

Other benefits to better search:

  • Improve maintainability - showing developers what components the organization is already using
  • Software categories - look at all software used in (for example) telemetry, logging, or authentication
  • Resolve compatibility issues - find and resolve beyond just violations, looking at compatibility, less-than-ideal licenses, or yet-to-be-published CVEs

article-new-feat-06-2022-20220629_7

Advanced search prompt screen with available search tags

article-new-feat-06-2022-20220629_5

Search results view for the “Bouncy Castle” vulnerability

Customers can also export search results to a standard comma-separated spreadsheet. This can enable internal component audits, sharing with other teams, or creation of a software supply chain management checklist.

article-new-feat-06-2022-20220629_3

Export results option

More information and a demonstration of Advanced Search functionality from my.sonatype.com is in the video below:

"Have you Heard" Advanced Search video.



All this functionality will be released in version 140 in early July, with the Release Notes updated upon release.

About Nexus Lifecycle

Nexus Lifecycle is a complete software supply chain management solution that works within your development pipeline. It empowers developers to find and fix open source security vulnerabilities at every stage of the software development lifecycle. Request a demo today for Nexus Lifecycle.

Tags: Nexus Lifecycle, search, Product Release, open source development, policy

Written by Chris Good

Chris is a Product Marketing Manager with Sonatype. Originally from Pittsburgh, PA, Chris studied Communications and Computer Science at the University of Pittsburgh. He enjoys working for Sonatype because of the culture here at the company - it is diverse and promotes creativity.