IntelliJ and Vulnerability Search with Nexus Lifecycle

In this episode of DevSecOps Delivered we walk through how to get immediate feedback from IntelliJ during an open source vulnerability search. We show how Nexus Lifecycle offers immediate remediation when a vulnerable component is found.

As we log in, we see, at the bottom left, Nexus IQ integration and also on the left, a software bill of materials, which can be sorted alphabetically or by policy violations.

DevOps Connect:DevSecOps @ RSAC 2022

Commons Collection as an Example

If we look at the Commons Collection package, as an example, we get rich metadata about the components. Looking at the right I can see this is version 3.2.1, and the GAV (Group, Artifact, Version) information. I can also see information around licensing, its CVSS score (a common vulnerability scoring system), and see that it has a policy threat of 9, set by my company. 

“Cataloged” indicates this package is 11 years old. 

The “Match State: exact” indicates that the component is unchanged at the hash level. (If developers have changed this component it would read “similar” or “unknown”.)

Information Source can be “Sonatype” or manual, for when you claim proprietary components.

“Category” is a taxonomy, in this example, “Programming Language Utilities”. But you can also have logging frameworks, XML passes, etc.

If I want to understand more about these details, I can go View > Details > Policy Violations > Security High > High Risk CVVS score of 9. (If you recall Heartbleed from a few years ago, it was only a “5” on the risk scale. So nine is going to be even worse.)

“License Analysis: Liberal,” great, it is an Apache.

Uncovering Security Issues

“Arbitrary Remote Code Execution” – now you’re speaking a language that I, the developer, understand

What if I want to find out more? (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Stefania Chaplin. Read the original post at: