Skip to main content

Hosted Repository Analysis

Hosted repository analysis provides a way to analyze your built applications without modifying the build systems. Using hosted repository analysis, security teams can measure and mitigate risks in an artifact staging workflow before promoting artifacts to production repositories.

Requirements

  • Sonatype License for Lifecycle and Nexus Repository

  • Nexus Repository 3.64+

  • Connect Lifecycle to Nexus Repository

  • Enable feature flag for hosted repository scanning on Nexus Repository (requires restart)

Limitations

  • Functionality is limited to scanning the Maven2 format for hosted repositories.

  • Implementation is performed through the API

Configuration

To use the feature you will need to enable the feature flag for Nexus Repository shown below and connect Lifecycle to the Repository. Refer to Connecting IQ Server for details.

Enable the feature flag for Nexus Repository

Add feature flag to nexus.properties. Default location at the following:

../sonatype-work/nexus3/etc/nexus.properties

Flag to add to enable the feature

nexus.app.scan.enabled=true

Restart your Nexus Repository server for the configuration to update

Lifecycle parameters

The API calls on this page will require either an organizationId for new applications or an existing applicationId. You can locate the organizationId from the Lifecycle UI or by calling the Organization REST API. The applicationId can be found in the Lifecycle UI or by calling the Application REST API.

Evaluate an artifact within a hosted repository

Target specific artifacts inside the hosted repository for a Lifecycle analysis. Using an organizationId this endpoint will automatically add applications to the Lifecycle organization when not present.

Example for automatically created application name

For an artifact in the repository /maven-hosted/org/slf4j/slf4j-api/, the automatically created application name will be org-slf4j-slf4j-api

POST /service/rest/v1/scan/execute/{repostoryName}/{path}

The above command required a body element to be included. Review the Lifecycle parameters section for the Organization or Application IDs.

The optional StageId defaults to the build stage.

{
  "iqOrganizationId": "string",
  "iqApplicationId": "string",
  "iqStageTypeId": "string
}

Example curl command

curl commands should be run against the Nexus Repository instance where the repository/artifact to be scanned is located.

curl -X POST -u <username>:<password> \
  "<host>/service/rest/v1/scan/execute/{repositoryName}/{path}
  -H "Content-Type: application/json" \
  -d "{\"iqOrganizationId\": \"a5c56d00972e41188601c02700ced17c\", \"iqStageTypeId\": \"release\"}"

Example response

{
  "scanId": "b163b59b1f36425099ad91a18f353d3b",
  "reportUrl": "ui/links/application/commons-fileupload-commons-fileupload/report/b163b59b1f36425099ad91a18f353d3b"
}

If there are multiple versions of an artifact found the scan path target, then the latest version number (not the most recently uploaded version) will be retrieved and scanned.

Configure monitoring on an artifact's namespace

Hosted repository analysis may be configured to monitor an artifact's namespace for new versions of an artifact and run an analysis of any new artifacts with higher version numbers submitted to the hosted repository. The new version and scan will replace the latest Lifecycle report for that application if one exists already.

PUT Configuration

The put command will configure monitoring the namespace (path). The artifact will not be analyzed until a new artifact has been uploaded to the namespace. Only artifacts with version numbers higher than the previous scanned version will be analyzed.

POST /service/rest/v1/scan/configure/{repostoryName}/{path}

The above command required a body element to be included. Review the Lifecycle parameters section for the Organization or Application IDs. Excluding the scan target and triggers will analyze every artifact including javadocs and sources.

{
  "iqOrganizationId": "string",
  "iqApplicationId": "string",
  "iqStageTypeId": "release",
  "scanTargetRegex": "^.*war$",
  "scanTriggerRegexes": [
      "^.*jar$",
      "^.*zip$"
  ]
}

GET Configuration

The get request for this endpoint will return all namespace configurations for this repository.

GET /service/rest/v1/scan/configure/{repostoryName}

DELETE Configuration

The delete request is used to remove the configuration for a specific artifact. I'm not sure if it will work at the repository level only.

DELETE /service/rest/v1/scan/configure/{repostoryName}/{path}