In this episode of DevSecOps Delivered we walk through how to get immediate feedback from IntelliJ during an open source vulnerability search. We show how Nexus Lifecycle offers immediate remediation when a vulnerable component is found.
As we log in, we see, at the bottom left, Nexus IQ integration and also on the left, a software bill of materials, which can be sorted alphabetically or by policy violations.
Commons Collection as an Example
If we look at the Commons Collection package, as an example, we get rich metadata about the components. Looking at the right I can see this is version 3.2.1, and the GAV (Group, Artifact, Version) information. I can also see information around licensing, its CVSS score (a common vulnerability scoring system), and see that it has a policy threat of 9, set by my company.
“Cataloged” indicates this package is 11 years old.
The “Match State: exact” indicates that the component is unchanged at the hash level. (If developers have changed this component it would read “similar” or “unknown”.)
Information Source can be “Sonatype” or manual, for when you claim proprietary components.
“Category” is a taxonomy, in this example, “Programming Language Utilities”. But you can also have logging frameworks, XML passes, etc.
If I want to understand more about these details, I can go View > Details > Policy Violations > Security High > High Risk CVVS score of 9. (If you recall Heartbleed from a few years ago, it was only a “5” on the risk scale. So nine is going to be even worse.)
“License Analysis: Liberal,” great, it is an Apache.
Uncovering Security Issues
“Arbitrary Remote Code Execution” – now you’re speaking a language that I, the developer, understand
What if I want to find out more? (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Stefania Chaplin. Read the original post at: https://blog.sonatype.com/intellij-vulnerability-search-nexus-iq-server-nexus-lifecycle