Comprehensive Guide to Lifecycle Scanning

IQ Server | Reading time: 16 minutes

Is this article helpful?

NOTE: We update this guide as more languages are added to the Nexus IQ Server. Please check back often for updates.

Overview

This guide helps Sonatype customers evaluate their applications and deliver timely component intelligence to their developers throughout the software development lifecycle (SDLC). Part of this requires a high-level understanding of our integration points and our data analysis process so you can get the most value from scanning at the optimum point. We’ll take a comprehensive look at Sonatype’s supported languages to understand where we can scan an application throughout the SDLC, and use this information to deliver the most value to developers.

IQ Server Data Analysis

The Nexus IQ Server uses data derived from our automated vulnerability detection system — basically a big funnel of sources (NVD, GitHub commits, OSS Index, Sonatype research, etc.) that is processed with automated techniques such as data filtering, aggregation, and machine learning algorithms.

You’ll notice that some package managers listed in this guide have security, license, and identity data, while others have security-only data. License data includes OSS licenses identified in the package manifest, and in the case of Java, found within the package itself. Identity refers to component details such as recommendations, version graph, or catalogued data pulled from the package manager repository. We differentiate these ecosystems as having either Premium or Standard data capabilities.

Premium Capabilities

For ecosystems with security, license, and identity data, Sonatype researchers triage incoming data and determine if there is a vulnerability, creating a research ticket for further investigation when necessary. Tickets are prioritized and then entered into our human-curated research process. When research is complete, it goes into our data mart which feeds Sonatype Data Services. Data from the Sonatype Data Services is what you’ll then see in the IQ Server Dashboard and Application Composition report after an application scan.

Sonatype Data Flow

Figure 1: Sonatype Data Flow

Standard Capabilities

For ecosystems with security-only data, we use an analysis that identifies only those components that have a security vulnerability — which doesn’t include in-depth research or license and identity data. Although you will not see license and identity information, you will still gain visibility, IQ Server Dashboard access, and security policy information via the Application Composition Report.

For more information, please see our guide on Understanding Sonatype Vulnerability Data.

IQ Server Integrations

There are several methods for integrating Nexus IQ Server into your software development lifecycle. We won’t go over all of them here, but we will highlight a few options. For further information on any of these topics, please see our IQ Server for Developers guide.

Command Line Interface

The most unobtrusive, and non-tool specific, approach is to use the command line version of the Application Evaluation Tool – commonly referred to as the Nexus IQ CLI. Any application can be evaluated against your policies simply by using the CLI. This includes adding a build step in your CI server and processing a simple shell script during the building of your application.

For more information on the CLI, please see our help topics on the Nexus IQ CLI.

Continuous Integration Plugins

Nexus IQ Server analyzes components used in your software development for security and license characteristics. When integrated with a continuous integration server, this becomes a dynamic analysis performed on a regular basis—occurring potentially with each build running on the server.

Maven

Our Maven plugin lets you evaluate any Maven-based software project. The plugin can run on a command line interface and can therefore be executed on any continuous integration server, as well as a number of popular IDEs.

For more information, see our IQ for Maven help topic.

Jenkins

The Nexus Platform Plugin for Jenkins integrates via Jenkins Pipeline or Project steps with Sonatype Nexus IQ Server. You can use the plugin to perform an IQ Server policy evaluation against files in a Jenkins workspace.

For more information, see our Jenkins Platform Plugin help topic.

Azure DevOps

The Nexus IQ Extension for Azure DevOps places open source governance policies within the CI phase. As a new step within your build, applications are scanned by Nexus IQ to identify any open source security, license, or quality policy violations. When the scan is complete, results are displayed within Azure DevOps with a link to the Nexus Lifecycle policy report that contains violation details and expert remediation guidance.

For more information, please see our Nexus IQ for Azure DevOps help topic.

Gitlab CI

The GitLab Nexus IQ Docker image provides the ability to run Nexus policy evaluation against build artifacts in GitLab and produce a summary report with policy violation counts and a link to a detailed report on the IQ server. In addition, Nexus IQ for GitLab can assist with remediation of identified vulnerabilities using the IQ for Source Control Management features.

For more information, please see our Nexus IQ for GitLab CI help topic.

Bamboo

The Bamboo plugin lets you evaluate applications with the IQ Server and provides a summary of the results on the Job Summary page. In addition to counts for each of these categories, a status for the success of the evaluation is provided, as well as a link to the summary report located on your IQ Server.

For more information, see our Nexus IQ for Bamboo help topic.

Nexus Repository Manager

The integration between Nexus Repository Manager and IQ Server provides access to detailed Repository Results identifying components that represent potential risk to the components and applications your teams are developing.

IQ for Nexus Repository Manager allows you to integrate IQ Server’s policy management and component intelligence features with proxy repositories in Nexus Repository Manager Pro. By proxying external repositories, as well as providing a deployment target for internal components, a repository manager becomes the central and authoritative storage platform for all components. This allows you to control which components get into your products from external sources as well as examine, and keep track of, artifacts produced by your build systems.

For more information, please see our IQ Server and Repository Management help topic.

IDEs & Dev Tools

Nexus IQ Server integrations for Integrated Development Environments (IDEs) provide development teams with direct access to Sonatype’s comprehensive component intelligence. Developers can quickly vet components used in an application against their organization’s open source policies, greatly reducing time wasted with complicated and exhaustive research.

Eclipse

The Sonatype Eclipse plugin lets you analyze components used by your software development project and take action to resolve any issues you discover. For more information, please see our Eclipse help documentation.

Visual Studio

IQ for Visual Studio provides component analysis for the Community, Professional and Enterprise versions of Visual Studio. The plugin can be installed from within Visual Studio using the Extensions manager or via the Microsoft Visual Studio Marketplace. For more information, see our Visual Studio help topic.

IDEA

IQ for IDEA provides component analysis for both the Community and Ultimate edition of IntelliJ IDEA. For more information, go to our IDEA help topic.

DepShield logo DepShield

Sonatype DepShield is a GitHub App used by developers to identify and remediate vulnerabilities in their open source dependencies. DepShield continuously monitors projects and auto-creates issues for security vulnerabilities, and is currently available for Apache Maven and Node.js npm projects. For more information, please see DepShield help on GitHub.

Community Tools & Applications

OSS Index is an open source community service that aggregates security data from trusted sources like the Common Vulnerabilities and Exposures (CVE) list.

OSS Index provides comprehensive ecosystem support, and makes it easy to get started incorporating security data into your favorite toolchain and workflow thanks to a growing list of community integrations. The following open source scanning tools are officially supported by Sonatype, and can be used with or without a Lifecycle license:

  • Nancy logo Nancy scans Golang projects for vulnerable third party dependencies.
  • Chelsea logo Chelsea is a CLI application that scans RubyGem projects for vulnerable third party dependencies.
  • Jake logo Jake scans Python and Conda environments for vulnerable third-party dependencies.
  • AuditJS logo AuditJS scans JavaScript projects for vulnerable third party dependencies.
  • The Nexus IQ Chrome Extension lets you inspect a package before you download it. The plugin requires a valid Sonatype Nexus Lifecycle license. Once installed, it can scan packages from multiple repositories.

Running Scans

For each language / ecosystem, we’ll provide a table that shows available package managers, scan targets, available scan tools, and what data you’ll see. In addition, there are tips listed below the table that provide best practices we’ve compiled working with customers. This information will help you analyze your applications as they’re being built, view an accurate bill of materials, and deliver better value to developers. You’ll notice that some package managers listed have security, license, and identity (Premium) data, while others have security-only (Standard) data only.

Java logo Java

Package Manager Scan Target(s) How to Scan Available Data
Maven Packaged archives (.ear/.war) and .jar Maven plugin
IQ CLI
Gradle Plugin
IQ Server UI
CI plugins - not compatible with Uber (shaded) jar
Security, License, Identity
Conda conda.txt IQ CLI from version 88
IQ Server UI from version 88
Security

Tips

  • Use the post-build artifact as the target (what you are planning to deploy). You can run the normal build and add a post build step before you deploy to the repository.
  • A scan will pick up all dependencies packaged into that file (unless it’s an uber jar).
  • To scan an Uber/Shaded jar, the easiest integration is at build time:
    • If you are building with Maven, use the Maven plugin, which is downloaded when invoked. The index goal produced with the Maven plugin can generate a dependency index of direct and transitive dependencies referenced in the project POM. The generated module.xml file contains information that’s incorporated into the IQ Server evaluation. The final scan in the CI tools uses components in the .m2 cache for fingerprinting to enforce accuracy of what is ultimately in your project.
    • If you do not wish to integrate an evaluation at build time, the Maven copy dependencies command can be used: Mvn dependency:copy-dependencies. This will copy the dependencies of your project to a separate directory. This directory can then be scanned via the CLI.
  • For more information, please see our help documentation on Sonatype for Maven and Conda Application Analysis.

.net logo .NET

Package Manager Scan Target(s) How to Scan Available Data
Nuget .nupkg files
nuget restore -OutputDirectory packages
dotnet restore --packages packages
.csproj
packages.config
pecoff .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp
Visual Studio Plugin
IQ CLI
CI plugins
IQ Server UI
Security, License, Identity

Tips

  • Support for scanning binaries and manifest files. Defaults to binaries when present in scan target.
  • Scanning the deployment artifact (zip file usually) is useful at the release stage to catch anything not directly brought in through Nuget.
  • Using the dotnet restore -- packages packages command will result in the most data but may be noisy as it will include more versions then what may be deployed in the application.
  • Isolated .dlls will not report license data as they could have multiple package/licenses associated with it. Licenses will depend on which parent components are installed.
  • The creating an SBOM through CycloneDX/cyclonedx-nuget project is also supported but will not report any other languages found in the codebase.

JS logo JavaScript

Package Manager Scan Target(s) How to scan Available Data
NPM npm-shrinkwrap.json
package-lock.json
package.json
.js/.ts
IQ Server UI from release 76
IQ CLI from release 76
Maven plugin from version 2.15.0-01
Nexus IQ for Bamboo from version 1.14.2-01
Nexus Platform Plugin for Jenkins from version 3.8.20191127-111424.5d61f82
Security, License, Identity
Conda conda.txt IQ CLI from release 88 Security

Tips

  • For detailed information on scanning Javascript, please see our Scanning JavaScript guide and our help documentation on NPM Application Analysis.
  • Audit JS is an open source scanning tool that scans JavaScript projects for vulnerable third-party dependencies.
  • For best results, scan the lock file along with the package.json files installed with each dependency in node_modules in addition to your JavaScript application files.
  • For Node projects, run npm install --production to exclude dev dependencies in the package.json.

Python logo Python

Package Manager Scan Target(s) How to scan Available Data
PyPI requirements.txt
.whl
poetry.lock
IQ Server UI from release 58
IQ CLI from release 58
Maven plugin from version 2.10.0
Nexus IQ for Bamboo from version 1.10.0
Nexus Platform Plugin for Jenkins from version 3.4.20190116-104331.e820fec
Security, License, Identity
Conda conda.txt IQ CLI from release 76 Security

Tips

  • Overview of scanning Python in the CLI:

     
  • Use pip freeze to create the requirements file. Additional flags should be added to requirements.txt files to scope to the target OS/Arch. see Environment markers
  • The requirements.txt must use the == operator and version without wildcards will be considered. .whl fies may be matched to multiple environmental python packages which show as duplicates in the scan report.
  • In addition to the options listed above, Jake is an open source scanning tool that scans Python & Conda environments for vulnerable third-party dependencies.
  • For more information, please see our Python help documentation and documentation on Conda Application Analysis.

Go logo Go

Package Manager Scan Target(s) How to scan Available Data
Go Modules Versioned packages in go.sum file
go.list files
IQ CLI
IQ Server UI
Jenkins
Bamboo
Maven
Security, License, Identity

Tips

  • In addition to the options listed above, Nancy is an open source scanning tool that scans Golang projects for vulnerable third-party dependencies. Nancy uses data from OSS Index free for anyone and data from Nexus Lifecycle for Sonatype customers.
  • Go coordinate-based matching provides the ability to scan and evaluate Go module dependencies found in the go.sum file.
  • We recommended following the proper maintenance of the go.sum file. This ensures better matching results when scanning a go module project.
  • To run a scan in the CLI, scan the directory or subdirectories containing go.sum or go.list files.
  • Unversioned packages direct from commit hashes are listed as component-unknown.
  • For more information, please see our help documentation on Go Application Analysis.

Ruby logo Ruby

Package Manager Scan Target(s) How to scan Available Data
RubyGems gemfile.lock
.gem files
bundle package --no-install puts .gem files into ./vendor/cache
IQ CLI from version 86
Jenkins from version 3.8.20200310-130318.c482b58
Bamboo from version 1.15.1-01
IQ Server UI from version 86
Security, License, Identity

Tips

  • In addition to the options listed above, Chelsea is an open source scanning tool that scans Ruby-powered projects for vulnerable third-party dependencies. Chelsea uses data from OSS Index free for anyone and data from Nexus Lifecycle for Sonatype customers.
  • Invoke a CLI scan of a directory or subdirectories containing a Gemfile.lock file.
  • For more information, please see our help docs on Ruby Application Analysis.

yum logo YUM

Package Manager Scan Target(s) How to scan Available Data
rpm yum-packages.txt IQ CLI from version 91
Jenkins from version TBD
Bamboo from version TBD
IQ Server UI from version 91
Security, License, Identity

Tips

  • Invoke a CLI scan of a directory or subdirectories containing a yum-packages.txt file.
  • For more information, please see our help docs on YUM Package Analysis.

PHP logo PHP

Package Manager Scan Target(s) How to scan Available Data
Composer composer.lock IQ CLI from version 86
Jenkins from version 3.8.20200310-130318.c482b58
Bamboo from version 1.15.1-01
IQ Server UI from version 86
Security

Tips

  • Invoke a CLI scan of a directory or subdirectories containing a composer.lock file.
  • For more information, please see our help docs on PHP Application Analysis.

C+ logo C / C++

Package Manager Scan Target(s) How to scan Available Data
Conan conanfile.txt IQ CLI from version 86
Jenkins from version 3.8.20200310-130318.c482b58
Bamboo from version 1.15.1-01
IQ Server UI from version 86
Security
Conda conda.txt IQ CLI from version 86
Jenkins from version 3.8.20200310-130318.c482b58
Bamboo from version 1.15.1-01
IQ Server UI from version 86
Security

Tips

Apline logo Alpine

Package Manager Scan Target(s) How to scan Available Data
Alpine alpine.txt IQ CLI from version 90
IQ Server UI from version 90
Security

Tips

  • Invoke a CLI scan of a directory or subdirectories containing an alpine.txt file
  • For more information, please see our help docs on Alpine Package Analysis.

Rust logo Rust

Package Manager Scan Target(s) How to scan Available Data
Cargo cargo.lock IQ CLI from version 89
IQ Server UI from version 89
Security

Tips

  • Invoke a CLI scan of a directory or subdirectories containing a cargo.lock file
  • For more information, please see our help docs on Rust Application Analysis.

Swift logo Swift/Objective-C

Package Manager Scan Target(s) How to scan Available Data
Cocoapods Podfile.lock IQ CLI from version 88
IQ Server UI from version 88
Security

Tips

R logo R (CRAN)

Package Manager Scan Target(s) How to scan Available Data
Cran cran-installed.packages IQ CLI from version 89
IQ Server UI from version 89
Security

Tips

  • Invoke a CLI scan of a directory or subdirectories containing a cran-installed.packages file
  • For more information, please see our help docs on R (CRAN) Application Analysis.

Debian logo Debian/Ubuntu

Package Manager Scan Target(s) How to scan Available Data
Debian debian-packages.txt IQ CLI from version 90
IQ Server UI from version 90
Security

Tips

  • Invoke a CLI scan of a directory or subdirectories containing a debian-packages.txt file
  • For more information, please see our help docs on Debian Package Analysis.

Drupal logo Drupal

Package Manager Scan Target(s) How to scan Available Data
Drupal drupal-components.csv IQ CLI from version 90
IQ Server UI from version 90
Security

Tips

  • Invoke a CLI scan of a directory or subdirectories containing a drupal-components.csv (comma separated list of Drupal extensions) file
  • For more information, please see our help docs on Drupal Application Analysis.

Android logo Android

Scan Target(s) How to scan Available Data
jar, war, ear, tar.gz, zip, tgz, bz2 IQ CLI
IQ Server UI
Maven plugin
Security, License, Identity

Tips

  • We do not support scanning a .apk directly due to the minification performed via the dalvik byte code process. For this reason, scanning prior to the assembling of the .apk is required.
  • Scanning APK directly is not supported: Compilers convert source code into DEX (Dalvik Executable) file.
  • Maven Build: Use the Maven plugin.
  • Gradle Build: Maven copy dependencies, then scan the folder using the CLI.

Docker logo Docker

Scan Target(s) How to scan Available Data
.tar IQ CLI
IQ Server UI
CI plugins
Security, License, Identity

Tips

  • Nexus Lifecycle scans the application layer of your containers, and provides precise component intelligence for Java, JavaScript, Nuget, and Python.
  • To scan a Docker image, you need to first save it as a .tar file, and then run a scan in the CLI or as a build step using a CI plugin.
  • For more information, please see our Containers in IQ Server guide.

Clair logo Clair

Scan Target(s) How to scan Available Data
clair-scanner-output.json IQ CLI from version 77
Jenkins from version 3.8.20191127-111424.5D61F82
Bamboo from version 1.14.3
IQ Server UI from version 77
Security, License, and Identity

Tips

  • Create the clair-scanner-output.json by running the Clair scanner.
  • Then, invoke a CLI scan of the directory containing clair- scanner-output.json.
  • For more information, please see our help documentation on Clair Application Analysis.

CycloneDX logo CycloneDx

Scan Target(s) How to scan Available Data
cyclonedx-bom.xml IQ CLI from version 77
Jenkins from version 3.8.20191127-111424.5D61F82
Bamboo from version 1.14.2
IQ Server UI from version 77
Security, License, and Identity

Tips

  • For detailed instructions on CycloneDX schema, please refer to the CycloneDX scanner documentation.
  • When specifying components using its Package URL (tag <purl>), IQ Server will try to match it with its own data and find all information about it.
  • If no Package URL is specified, a component can also be specified using its coordinates and IQ server will attempt to apply policies based on this identity.
    • <name>: mandatory when using coordinates
    • <version>: mandatory when using coordinates
  • In addition to identity data, each component can also include vulnerability data.
  • A component can have one or many licenses, and IQ server will try to apply existing policies on licenses for this data.
  • For more information, please see our CycloneDX Application Analysis help documentation.

Talk to Us

Have more questions or comments? Learn more at help.sonatype.com, join us in the Sonatype Community, and view our course catalog at learn.sonatype.com.

And visit my.sonatype.com for all things Sonatype.