This guide helps you get IQ Server up and running so you can try out Nexus Lifecycle functionality before installing it in your development environment. It should take about 15 minutes to complete using reference policies and applications.
NOTE: Nexus Lifecycle requires a license to experience the functionality described in this guide. If you are looking to try or purchase Nexus Lifecycle, contact us and we’ll be happy to assist.
Step 1: Installing & Starting IQ Server
Installing the IQ server is done in a few easy steps - pick a location, download the archived server, and unpack the contents. Since we’re not focused on mimicking a production experience, most laptop and desktop configurations should run IQ Server with no problem. If you are looking to plan for the future, be sure to review the Installation Requirements.
- Create an installation directory in your desired location.
- Download the latest version of IQ Server to the installation directory.
- Extract the
tar.gzor .zip file.
Once you’ve extracted the contents, follow the steps below to run IQ Server:
- Using a command line interface, switch to the
nexus-iq-serverbundle directory in your installation directory e.g.
- Run one of the following commands to start IQ Server:
- Linux or Mac:
- Linux or Mac:
- Open IQ Server in a browser using the default URL:
- Log in using the default Administrator account:
- Username: admin
- Password: admin123
- Install the required product license supplied to you by the Sonatype Support team.
- Click Install License.
- Navigate to the license file (
.lic) and click Open.
- Click I Accept to accept the End User License Agreement.
NOTE: IQ Server needs access to an external data service to perform evaluations, which may be blocked in your internal environment. For a workaround, see Running IQ Server Behind an HTTP Proxy Server.
Evaluating an application through the User Interface will transfer the bits to your IQ server. If you are working on a slower connection, or over a VPN, this mean longer analysis times.
Step 2: Importing Reference Policies
NOTE: As of version 1.44, reference policies are automatically created for new IQ Server installations.
Policy is at the core of IQ Server’s automation capabilities. This is true for both Nexus Firewall and Nexus Lifecycle. While you can create a completely custom set of policies, the Sonatype Reference Policy Set is the quickest way to get started. This set includes multiple policies for triggering violations on security vulnerabilities, licensing issues, architecture issues, and more.
The Reference Policy Set is downloaded and imported into the Root Organization automatically when IQ server is started for the first time.
Step 3: Configuring Policy Actions
NOTE: As of version 1.43, new IQ Server installations are automatically populated with a sandbox organization and application.
When evaluating applications, understanding IQ Server’s system hierarchy is critical: Root Organization, organization, and application. This means policies and other configuration items are inherited from the Root Organization on down. This allows for easier policy management especially when you have multiple organizations and applications. To get started evaluating applications, you need at least one organization and a corresponding application.
For this guide, we suggest using the provided ‘sandbox’ organization and application populated with sample data to get started learning the concepts.
NOTE: We recommend you delete the sandbox data when it’s no longer needed (i.e. you have onboarded your own organizations and applications).
Step 4: Evaluating Applications
After you install, start, and configure IQ Server, you are ready to evaluate applications. If you need a sample application, go ahead and download the WebGoat project at https://github.com/WebGoat/WebGoat/releases.
To evaluate an application:
- In the Organization & Policies area, select the sandbox application in the sidebar. The file that you evaluate will be associated with this application.
- Go to the Actions menu, and click Evaluate Binary.
- In the Evaluate a Binary dialog:
- Click Choose File or Browse, select the file to evaluate, and click Open.
- Select any stage to associate with the evaluation, for example Build.
- Click No to prevent sending notifications of policy violations as defined in the policy’s configuration settings.
- Click Upload to begin evaluating the selected application.
When the evaluation is complete, click View Report to open the Application Composition Report for the evaluated application.
Step 5: Reviewing Results
Once evaluated, the results of a binary evaluation are displayed in the Application Composition Report, which you can always access by clicking the Reporting icon on the IQ Server toolbar.
The Application Composition Report is made up of several different sections:
- The Summary section is at the top of the main content area. It shows you the report title, date, and high-level statistics on violation counts, identified component counts, and grandfathered violation counts.
- The Policy Violations table shows a list of all components found during the scan of the application, with components ordered by worst policy violation. You can sort the table by threat level, policy name, and component name, and filter via the policy name and the component name.
- The Filter sidebar displays to the left of the Summary and Policy Violations table. It includes controls for violation aggregation and lets you filter by proprietary, component match state, violation state, policy type, and policy threat level.
- The Raw Data view is available from the Options menu. It displays raw, lower-level data resulting from analysis performed by Sonatype’s Hosted Data Services. The Raw Data view does not show information resulting from policies configured in the IQ Server.
For a more thorough explanation of the report, see Application Composition Report.
Step 6: Investigating & Remediating Violations
In the Application Composition Report, you can drill down to learn specific details about a violation. From the Policy Violation table, click an individual component to open the Component Information Panel (CIP). The CIP displays many details, which are divided into different sections or tabs.
To get you started using the CIP, take a look at these sections:
- Component Info - In the graph, move the vertical bar to learn the differences between versions of a component.
- Policy - Click the Waive button to force IQ Server to ignore a policy violation.
- Licenses - Track your research about a particular license and even override one.
- Vulnerabilities - Click the Info icon for a thorough explanation of a component’s vulnerability and a recommended action.
This is just a small sample of the component information available in the CIP. For a complete discussion of the CIP, see Component Information Panel.