Skip to main content

Lifecycle for Developers Quickstart

In this guide, we’ll go over what the Sonatype Lifecycle solution is and how it helps you select better components and build better software, faster. We’ll give you some great tips to get started integrating Lifecycle into your environment, helping you add component intelligence to your everyday workflow.

Build Better Applications with Sonatype Lifecycle

Sonatype Lifecycle acts as the brain for an organization implementing component lifecycle management. In Lifecycle, you’ll find a platform that provides functionality for managing policy, reviewing component and application information, and using our integrations to evaluate applications and repositories.

The Sonatype Platform helps you make informed decisions when selecting components for your projects. By making smart dependency choices up-front, you can focus on your own innovation and let the Sonatype Platform ensure that the elements of your software come from well-maintained, appropriately licensed, and security-conscious projects.

Smarter Remediation

Note

NOTE: The Advanced Development Pack (ADP) has been integrated into the general Lifecycle product. These changes are accessible with IQ Server version 100 and above. For users with IQ Server versions between 100 and 134, your admin may need to re-upload your organization’s existing Lifecycle license or restart the IQ Server to see these additional capabilities.

Sonatype Lifecycle’s developer features provide development teams with an automated, policy-based dependency management solution. This enables teams to take a more proactive approach to security in their products, resulting in less oversight from external teams and more confidence in their projects, all without losing the momentum of agile development. The enhanced features include:

  • Recommendations for incompatible code with Breaking Changes

  • Dependency insight with the Transitive Solver

  • Suspicious package detection with Release Integrity

  • Guidance on selecting quality components with Hygiene Ratings

These capabilities provide numerous benefits, including the following:

  • Less rework and maintenance. A higher-quality selection of components means teams gain a better understanding of what fits organizational policy requirements.

  • Ease of upgrading. Using Sonatype’s recommendations and single-click migrations will lead to a decreased level of effort when upgrading to the next best OSS component.

  • Improved project quality. Your team will receive early warning of suspicious behavior in code and gain access to components from the best suppliers.

  • Increased bandwidth. Less time spent researching quality OSS components means that teams will have more time to innovate.

Let’s take a look at each feature in more depth.

Breaking Changes

Note

Breaking Changes is currently only available for the Maven ecosystem.

Sonatype data service monitors Maven libraries for any changes in class types, function/method parameters, return types etc. and reports these as breaking changes. Selecting a component with breaking change may require you to make changes in the application code to prevent failures.

This feature helps you understand if incompatible code is introduced in the upgrade path of a component. Knowing when incompatible code — or breaking changes — is introduced helps you determine if an upgrade path is a simple version upgrade or if more complex code changes are required.

Component details page showing breaking changes feature

When there are no breaking changes between two versions of a component, there should be little effect on the code of the application itself — you should be able to simply upgrade to the new version of the component and move on. These types of fixes can be prioritized over fixes that might require additional development work. Better yet, if there are no coding changes required, the fix can be automated. Knowing the level of effort that might be required to upgrade to a version that fixes the violation helps you properly prioritize and plan for the work to be done at the appropriate time.

Transitive Solver

Accessible on the Component Details page, Transitive Solver is a set of recommendation strategies that provides insight into a component’s known dependencies. It shows you the link between a transitive and its direct dependency and then helps you quickly focus on what to fix first and how. By providing a recommendation for the direct dependency and its transitive(s), you can be more effective at mitigating risk within your application.

Leveraging the identification and linkages established for Maven, the Transitive Solver introduces additional strategies to our Recommendation Engine:

  • Next version with no policy violations with dependencies

    • Recommends the next version of the component that does not have transitive dependencies that cause violations.

  • Next version that does not fail a build with dependencies

    • Recommends the next version of a component that will not fail a build and takes into account the transitive dependencies.

Component details page showing transitive solver feature

Note

The Transitive Solver currently works on components from the Maven ecosystem only.

If you experience challenges with seeing Transitive Solver recommendations, please refer to this Knowledgebase article.

Release Integrity

The Release Integrity feature detects risky component version releases by monitoring activity in the software supply chain, detecting suspicious behavior, and flagging affected releases as such.

Component versions with detected abnormal behavior will be rated as “Suspicious” in red on the Component Details page.

Component details page showing release integrity feature

Hygiene Ratings

Health & Hygiene provides data to help ensure you are only using open-source components from the best suppliers. This leads to an increase in the quality of your applications and reduces your risk of productivity loss. A supplier in this case is a project that produces the components that are consumed in your applications.

A Hygiene Rating is used to summarize the health of a supplier:

  • Exemplary suppliers are those that exhibit behaviors we’ve identified as important to producing quality open-source software (State of the Software Supply Chain Report, 2021) within their ecosystem.

  • Laggards are the opposite end of this spectrum and should be avoided where possible.

  • Neutral suppliers lack any significant positive or negative behaviors.

Component details page showing hygiene rating feature

Sonatype Integrations for Developers

Integrating with Sonatype Lifecycle provides an easy way to add component intelligence to your development process and build better applications. Whether it’s viewing component information in your IDE, or adding evaluation results to your Jenkins builds, developers can use Lifecycle data to be more efficient at their jobs — without sacrificing speed and reliability.

The Sonatype Integrations team works hard to make sure developers have a great experience with Lifecycle. They want to make your job easier, and they’ve come up with some great integrations and plugins to help you do just that.

Sonatype Intelligence in your IDE

For developers, Sonatype Lifecycle IDE integrations are designed to work in an environment you’re familiar with. Immediate feedback on component quality, including architectural, licensing, and security information, is available right in your IDE, letting you make informed decisions about component selection.

This means you can proactively make changes and choose better components before any build warnings or failures. Our IDE integrations let you quickly vet components used in an application against your organization’s open-source policies, greatly reducing time wasted with complicated and exhaustive research. The graphic and information below provide an example of the data you’ll have access to with an IDE and Lifecycle integration:

Example IQ Server integration with Eclipse
the number one

Component List. This is where you will see a list of components found in your project and identified by their artifact identifier and version number. The color indicator signals potential violations (red=severe, orange=medium, yellow=low, blue=none). Components with a darker font indicate that they are direct dependencies included in your application. Components brought in via a transitive dependency are displayed with a lighter font.

The number two

Recommended Versions. The recommended version is based on the availability of a newer version of the same component that does not violate any configured policies for the application. If such a version exists, a hyperlink is displayed with the suggested version. Clicking on the link will select the recommended version in the version graph and populate the version details with information about this version.

The number three

Version Graph. Shows various properties for different available versions of the selected component. Older versions are displayed on the left and newer versions on the right. Arrows to the left and right of the graph let you view the full range of available versions. Click on any section in the graph, and all information for that particular version is displayed.

The number four

Version Details. Displays details of the selected component and version. Details include: component identifiers (differs depending on the language), version, overridden license, declared license, observed license, highest policy threat, highest security threat, age, identification source, and link to the project website.

The number five

View Details and Migrate buttons. The View Details button opens a dialog showing you a list of all the policies that have been violated by the component; the threat levels posed by the licenses declared for each component, as well as those that have been observed in the source code; and a list of security issues found. When you select a different, non-vulnerable version than the one currently used, the Migrate button becomes active. Pressing the button opens a dialog that assists you in the migration to the newer component.

View Evaluation Results in Source Control Management

Sonatype Lifecycle for Source Control Management (SCM) is a set of features that enables developers to get early insight into code changes. We do this by working in tandem with continuous integration (CI) to push policy information about an application’s components directly into SCM.

Sonatype Lifecycle for SCM has the following features:

  • Automated commit feedback: Sonatype Lifecycle for SCM puts the information needed to quickly remediate vulnerabilities in software solutions at the fingertips of developers by pushing policy evaluation information into SCM commits and pull requests (PRs), where developers work.

  • Automated pull requests: Sonatype Lifecycle for SCM will automatically create pull requests for policy violations on components that have an available version that remediates those violations.

  • Pull request commenting: Sonatype Lifecycle for SCM adds a comment to pull requests for repositories configured for source control when the PR introduces a new policy violation.

To use Sonatype Lifecycle for SCM, first,configure Lifecycle to allow access to the company’s Source Control Management platform. For large organizations, we recommend enabling automatic source control which lets CI and CLI integrations configure application source control connections when running from a locally cloned repository (a common practice in CI systems).

Once configured, commits will immediately receive automated commit feedback.

example of IQ server integrating with GitHub
example of IQ server integrating with Gitlab

Clicking the Details link, or Status opens the Lifecycle Application Evaluation report. There, you’ll see the current version used, and other vulnerable and non-vulnerable versions, of that component.

When Lifecycle for SCM is enabled and appropriately configured, applications will also start seeing automated pull requests for any new policy violations with suggested remediation.

Automated pull requests in IQ for SCM

For more information, please see our Lifecycle for SCM help documentation.

Automatically Create Tickets with the Jira Plugin

The Sonatype Lifecycle Jira Plugin lets you automate the creation of Jira tickets for policy violations, allowing development teams to focus on application security. The plugin uses a Lifecycle webhook violation event to trigger the creation of tickets whenever new violations occur. When an issue is found, a Jira ticket is created in the linked application and automatically creates a ticket per component.

For programmers, this means that you can easily find and triage policy violations with a tool that you‘re already using for story tracking and bug fixes.

example Jira ticket created by IQ Server

Block Bad Components with Sonatype Firewall

Sonatype Firewall automatically quarantines components that violate policy, preventing quality issues from entering the software you’re developing. This process immediately reduces risk and avoids wasteful rework down the line.

Firewall works by providing Audit and Quarantine features that give you a way to protect your development environment from risky or undesirable components. When Audit is enabled, adding and deleting components to a proxy repository causes your Repository Manager to contact IQ Server and evaluate the components within the proxy repository. If violations are found, they’re summarized in your Repository Manager and then detailed in IQ Server.

For example, in Nexus Repository 3, the results of an audit are summarized in the IQ Policy Violations column of the Repositories view as shown in the image below.

example integration between Nexus Repo Manager 3 and Firewall

Here, you’ll see (1) a count of components by their highest violation level, (2) a count of quarantined components, and (3) a link to Repository Results on IQ Server.

Evaluate Scan Results in your CI Server

Sonatype Lifecycle can analyze the components used in your software development for security and license characteristics. When integrated with a continuous integration server, it becomes a dynamic analysis performed on a regular basis, occurring potentially with each build running on the server.

The Sonatype Platform Plugin for Jenkins scans a build workspace for components, creates a summary file about all the components found, and then submits that file to Lifecycle for a detailed policy evaluation. A report is generated containing a detailed analysis of security and license information, and a summary of that report is sent back to the Jenkins server to be included in the build results. The link to the detailed evaluation report can be followed from the Jenkins UI.

example IQ integration with Jenkins

Sonatype also has integrations with other CI servers, like Bamboo, Azure DevOps, and GitLab CI. All of our CI tools allow you to perform full security and license analysis of the artifacts produced by the configured build backed by Sonatype Lifecycle, and easy access to the application composition report.

Inspect Packages with the Chrome Extension

The Sonatype Lifecycle Chrome Extension lets you inspect a package before you download it. The plugin requires a valid Sonatype Lifecycle license. Once the plugin is installed on your Chrome browser, you can scan packages from several repositories like Maven, npm, Nuget, and PyPi, just to name a few.

Sonatype_LC-Chrome_extension-open-02.png

With the Chrome Extension, you’ll have access to Lifecycle data like component info (format, package, version), security (severity, source, threat category, reference details), licensing (declared and observed), and most importantly, remediation (version history, recommended version).

For more information, please see the Sonatype Lifecycle Chrome Extension project on GitHub.

Scan Projects with our Community Tools

OSS Index is an open-source community service aggregating security data from trusted sources like the Common Vulnerabilities and Exposures (CVE) list.

OSS Index provides comprehensive ecosystem support and makes it easy to get started incorporating security data into your favorite toolchain and workflow thanks to a growing list of community integrations. The following open-source scanning tools are available for analysis in your development environment:

  • AuditJS scans JavaScript projects for vulnerable third-party dependencies.

  • Nancy scans Golang projects for vulnerable third-party dependencies.

  • Chelsea is a CLI application written in Ruby, designed to allow you to scan your RubyGem-powered projects and report on any vulnerabilities in your third-party dependencies.

  • Jake is a tool to check for vulnerabilities in your Conda environments, powered by Sonatype OSS Index, that can also be used with Sonatype’s Lifecycle.

To learn more about how you can integrate open-source vulnerability information across your development toolchain with pre-built tools and applications, see our OSS Index Integrations page.