This guide can help you get IQ Server up and running for the purpose of trying out the associated Nexus Lifecycle functionality before installing it in your development environment. It should take approximately 15 minutes to complete using sample policies and applications.
Nexus Lifecycle requires a license in order to experience the functionality described in this guide. If you are looking to try or purchase Nexus Lifecycle, schedule a demo or contact us, and we’ll be happy to assist.
Installing the IQ server is really a case of downloading the archived server, picking a location, and unpacking the contents. Since we won’t be focused on mimicking a production experience, most laptop and desktop configurations should run IQ Server with no problem. If you are looking to plan for the future, be sure to review the Installation Requirements.
Once you’ve extracted the contents, follow the steps below to run IQ Server:
nexus-iq-serverbundle directory in your installation directory e.g.
lic) and click Open.
IQ Server needs access to an external data service to perform evaluations, which may be blocked in your internal environment. For a workaround, see Running IQ Server Behind a HTTP Proxy Server in IQ Server Configuration.
Policy is at the core of IQ Server’s automation capabilities. This is true for both Nexus Firewall and Nexus Lifecycle. While you can create a completely custom set of policies, importing the Sonatype Sample Policy set set is the quickest way to get started. This set includes multiple policies for triggering violations on security vulnerabilities, licensing issues, architecture issues, and more.
.jsonfile you downloaded, and click Open.
When evaluating applications, understanding IQ Server’s system hierarchy is critical: Root Organization, organization, and application. This means policies and other configuration items are inherited from the Root Organization on down. This allows for easier policy management especially when you have multiple organizations and applications. Thus, in order to evaluate an application, you must have at least one organization and a corresponding application.
Creating an organization
Creating an application
After you install, start, and configure IQ Server, you are ready to evaluate applications. If you need a sample application, you can download WebGoat (
webgoat-container-x.x.x-war-exec.jar) at https://github.com/WebGoat/WebGoat/releases.
To evaluate an application:
Once evaluated, the results of a binary evaluation are displayed in the Application Composition Report, which you can always access by clicking the Reporting iconon the IQ Server toolbar.
The report’s information is divided into four tabs:
For a more thorough explanation of the report, see Application Composition Report.
In the Application Composition Report, you can drill down to learn specific details about a violation. In every tab (except the Summary tab), you can click an individual component to open the Component Information Panel (CIP). The CIP displays many details, which are divided into different sections or tabs. To get you started using the CIP, take a look at these sections:
This is just a small sample of the component information available in the CIP. For a complete discussion of the CIP, see Component Information Panel.