In this guide, we’ll go over what the IQ Server is and how it helps you select better components and build better software, faster. We’ll give you some great tips to get started integrating the IQ Server into your environment, helping you add component intelligence to your everyday workflow.
Build Better Applications with the IQ Server
The Nexus IQ Server acts as the brain for an organization implementing component lifecycle management. In IQ, you’ll find a platform that provides functionality for managing policy, reviewing component and application information, and using our integrations to evaluate applications and repositories.
The Nexus IQ provides a platform that helps you make informed decisions when selecting components for your projects. By making smart dependency choices up-front, you can focus on your own innovation and let Nexus IQ Server ensure that the elements of your software come from well maintained, appropriately licensed, and security-conscious projects.
Smarter Remediation with the ADP
The Advanced Development Pack, or ADP, is an add-on feature to Nexus Lifecycle that provides development teams an automated, policy-based dependency management solution. The Advanced Development Pack includes the following capabilities and features:
- Recommendations for incompatible code with breaking changes
- Dependency insight with the transitive solver
- Suspicious package detection with release integrity
- Select quality components with hygiene ratings
These capabilities put control back into the development teams’ hands, helping them engage in proactive dependency management practices without losing the momentum of agile development. Using the Advanced Development Pack, teams will see the following benefits:
- Less rework and maintenance. A higher-quality selection of components means you’ll gain a better understanding of what fits organizational policy requirements.
- Ease of upgrading. Using our recommendations and single-click migrations will lead to a decreased level-of-effort when upgrading to the next best OSS component.
- Improved project quality. We’ll give you early warning of suspicious behavior in code and access to components from the best suppliers.
- Increased bandwidth. Less time spent researching quality OSS components means you’ll have more time to innovate.
Nexus Integrations for Developers
Integrating with the Nexus IQ Server provides an easy way to add component intelligence to your development process and build better applications. Whether it’s viewing component information in your IDE, or adding evaluation results to your Jenkins builds, developers can use IQ Server data to be more efficient at their jobs — without sacrificing speed and reliability.
The Sonatype Nexus Integrations team works hard to make sure developers have a great experience with the IQ Server. They want to make your job easier, and they’ve come up with some great integrations and plugins to help you do just that.
Nexus Intelligence in your IDE
For developers, Nexus IQ Server IDE integrations are designed to work in an environment you’re familiar with. Immediate feedback on component quality, including architectural, licensing, and security information, is available right in your IDE, letting you make informed decisions about component selection.
This means you can proactively make changes and choose better components before any build warnings or failures. Our IDE integrations let you quickly vet components used in an application against your organization’s open source policies, greatly reducing time wasted with complicated and exhaustive research. The graphic and information below provide an example of the data you’ll have access to with an IDE and IQ integration:
|Component List. This is where you will see a list of components found in your project and identified by their artifact identifier and version number. The color indicator signals potential violations (red=severe, orange=medium, yellow=low, blue=none). Components with a darker font indicate that they are direct dependencies included in your application. Components brought in via a transitive dependency are displayed with a lighter font.|
|Recommended Versions. The recommended version is based on the availability of a newer version of the same component that does not violate any configured policies for the application. If such a version exists, a hyperlink is displayed with the suggested version. Clicking on the link will select the recommended version in the version graph and populate the version details with information about this version. For more information, see our help docs on IDE Recommended Versions.|
|Version Graph. Shows various properties for different available versions of the selected component. Older versions are displayed on the left and newer versions on the right. Arrows to the left and right of the graph let you view the full range of available versions. Click on any section in the graph, and all information for that particular version is displayed. For more information, see our help docs on the IDE Component Info View.|
|Version Details. Displays details of the selected component and version. Details include: component identifiers (differs depending on the language), version, overridden license, declared license, observed license, highest policy threat, highest security threat, age, identification source, and link to the project website (if available). For more information, see our help docs on the IDE Version Details.|
|View Details and Migrate buttons. The View Details button opens a dialog showing you a list of all the policies that have been violated by the component; the threat levels posed by the licenses declared for each component, as well as those that have been observed in the source code; and a list of security issues found. When you select a different, non-vulnerable version than the one currently used, the Migrate button becomes active. Pressing the button opens a dialog that assists you in the migration to the newer component.|
View Evaluation Results in Source Control Management
Nexus IQ for Source Control Management (SCM) is a set of features that enables developers to get early insight into code changes. We do this by working in tandem with continuous integration (CI) to push policy information about an application’s components directly into SCM.
Currently, Nexus IQ for SCM has the following features:
- Automated commit feedback: Nexus IQ for SCM puts the information needed to quickly remediate vulnerabilities in software solutions at the fingertips of developers by pushing policy evaluation information into SCM commits and pull requests (PRs), where developers work.
- Automated pull requests: Nexus IQ for SCM will automatically create pull requests for policy violations on components that have an available version which remediates those violations.
- Pull request commenting: Nexus IQ for SCM adds a comment to pull requests for repositories configured for source control when the PR introduces a new policy violation.
To use Nexus IQ for SCM, first configure the IQ Server to allow access to the company’s Source Control Management platform. For large organizations, we recommend enabling automatic source control which lets CI and CLI integrations configure application source control connections when running from a locally cloned repository (a common practice in CI systems).
Once configured, commits will immediately receive automated commit feedback.
Clicking the Details link, or Status, opens the IQ Application Evaluation report. There, you’ll see the current version used, and other vulnerable and non-vulnerable versions, of that component.
When IQ for SCM is enabled and appropriately configured, applications will also start seeing automated pull requests for any new policy violations with suggested remediation.
Automatically Create Tickets with the Jira Plugin
The Nexus IQ Jira Plugin lets you automate the creation of Jira tickets for policy violations, allowing development teams to focus on application security. The plugin uses a new IQ Server webhook violation event to trigger the creation of tickets whenever new violations occur. When an issue is found, a Jira ticket is created in the linked application, and automatically creates a ticket per component.
For programmers, this means that you can easily find and triage policy violations with a tool that you‘re already using for story tracking and bug fixes.
Block Bad Components with Firewall
Nexus Firewall automatically quarantines components that violate policy, preventing quality issues from entering the software you’re developing. This process immediately reduces risk and avoids wasteful rework down the line.
Firewall works by providing Audit and Quarantine features that give you a way to protect your development environment from risky or undesirable components. When Audit is enabled, adding and deleting components to a proxy repository causes your Repository Manager to contact IQ Server and evaluate the components within the proxy repository. If violations are found, they’re summarized in your Repository Manager and then detailed in IQ Server.
For example, in Nexus Repository Manager 3.x, the results of an audit are summarized in the IQ Policy Violations column of the Repositories view as shown in the image below.
Here, you’ll see (1) a count of components by their highest violation level, (2) a count of quarantined components, and (3) a link to Repository Results on IQ Server.
For more information, see our help docs on IQ Server and Repository Management.
Evaluate Scan Results in your CI Server
Nexus IQ Server can analyze the components used in your software development for security and license characteristics. When integrated with a continuous integration server, it becomes a dynamic analysis performed on a regular basis, occurring potentially with each build running on the server.
The Nexus Platform Plugin for Jenkins scans a build workspace for components, creates a summary file about all the components found, and then submits that file to IQ Server for a detailed policy evaluation. A report is generated containing detailed analysis of security and license information, and a summary of that report is sent back to the Jenkins server to be included in the build results. The link to the detailed evaluation report can be followed from the Jenkins UI.
Sonatype also has integrations with other CI servers, like Bamboo, Azure DevOps and GitLab CI. All of our CI tools allow you to perform a full security and license analysis of the artifacts produced by the configured build backed by your Nexus IQ Server, and easy access to the application composition report.
For more information, please see our help documentation on Nexus and Continuous Integration.
Inspect Packages with the Chrome Extension
The Nexus IQ Chrome Extension lets you inspect a package before you download it. The plugin requires a valid Sonatype Nexus Lifecycle license. Once the plugin is installed on your Chrome browser, you can scan packages from several repositories like Maven, npm, Nuget, and PyPi, just to name a few.
With the Chrome Extension, you’ll have access to IQ Server data like component info (format, package, version), security (severity, source, threat category, reference details), licensing (declared and observed), and most importantly, remediation (version history, recommended version).
For more information, please see the Nexus IQ Chrome Extension project on GitHub.
Scan Projects with our Community Tools
OSS Index provides comprehensive ecosystem support and makes it easy to get started incorporating security data into your favorite toolchain and workflow thanks to a growing list of community integrations. The following open source scanning tools are officially supported by Sonatype, and can be used with or without a Lifecycle license:
- Nancy scans Golang projects for vulnerable third party dependencies.
- Chelsea is a CLI application written in Ruby, designed to allow you to scan your RubyGem powered projects and report on any vulnerabilities in your third party dependencies.
- Jake is a tool to check for vulnerabilities in your Conda environments, powered by Sonatype OSS Index, that can also be used with Sonatype’s Nexus IQ Server.
- Ahab checks for vulnerabilities in your apt or yum powered operating systems.
To learn more about how you can integrate open source vulnerability information across your development toolchain with pre-built tools and applications, see our OSS Index Integrations page.
As you can see, Sonatype provides many ways that you can add component intelligence to your development workflow. As a first step, we recommend setting up your IDE integration. This will let you view component information, recommended versions, and even migrate and remediate fixes, all in the environment you are already using.
We have IDE integrations with IDEA, Eclipse, and Visual Studio. Please check out our IDE integration help docs to get started.
Talk to Us
And visit my.sonatype.com for all things Sonatype.