Repository Health Check

Repository Health Check (RHC) allows Sonatype Nexus Repository users to identify risks with using open-source components currently found in their proxy repositories. Limiting the impact of open-source risk at the earliest stages is key to reducing rework and protecting your DevOps pipeline from bad actors.

Open-source components with security vulnerabilities ranked by severity.
License warnings per component categorized by their obligations to the organization.
A detailed report that identifying specific artifacts and threats and when they are being downloaded.
RHC may analysis components in the following formats:
```
Maven, npm, NuGet, PyPi, RubyGems, Yum
```

Configuring Repository Health Check

To use Repository Health Check, sign in as an administrator to the Nexus Repository instance.

Navigate to the Repositories view under the Administration menu
Observe the column labeled Health Check
The Analyze button displays when RHC is not enabled
Two icons with numbers are displayed when RHC is configured
- Shield - number of security vulnerabilities identified
- Ribbon - the number of license warnings identified
Select the Analyze button to enable RHC on a repository
A dialogue box will appear and offer you the option to enable RHC on all supported repositories or just the one you've selected. Select either Yes, all repositories , or Yes, only this repository to enable RHC for the selected or all repositories. Select No if you wish to cancel.
An analyzing status appears as the scan begins. The initial scan will take some time with the resulting report will initially appear blank.
Enabling RHC creates and schedules the below task for each repository with RHC enabled. While the task is set to run once an hour, it only generates a new report once every 24 hours. Running the task again does not update the report.
```
System - Repository Health Check
```
Hovering over the Health Check column entry will show the summary report once the scan completes. New repositories without proxied components will show a blank table. The data gradually fills out the summary as users download components.

Repository Health Check Summary Report

Nexus Repository Community users will see the following summary report after the analysis of the repository is complete. Nexus Repository Pro users have the option to open up the detailed report of open-source components with security and licenses concerns.

This summary report displays the following information:

Donut chart - the components identified
FOR - the report's repository
ON - timestamp of when the report ran
AGE - how long since the report ran.

The following is in the Issue Summary section:

Security Vulnerabilities
The scoring is standardized on a 1-10 scale based on the Common Vulnerability Scoring System (CVSS); Only the highest risk on the component is included in this count. Displays a count of the components with Critical (7-10), Severe (4-6), and Moderate (1-3) vulnerabilities.
License Warnings
Displays a count of the components with the following license warnings:
- Copyleft - Component with a copyleft license (e.g., GPL).
- Non-Standard - Component with a license Nexus Repository does not recognize.
- Not Provided - The project did not declare a license.
- Weak Copyleft - Similar to copyleft; however, not all derived works inherit the copyleft license.
- Liberal - Component using a license with little limitation.

Detailed Repository Health Check Report

Sonatype Nexus Repository Pro users may select the View Detailed Report button to access a detailed report.

The detailed report shows the summary along with a table of component issues:

License Threat - Highlights the license with the highest potential risk for a given component.
Declared License - The licenses provided by the publishing project
Observed Licenses in Source - Licenses included in the component
Group - The namespace of the project owners
Artifact - The name of the artifact
Version - The artifact version
Security Issues - Highlights the severity and number of known security vulnerabilities

From the View By drop-down menu, you can also select the Vulnerabilities option.

From this view, the detailed report shows the following information:

Threat Level - Highlights the CVSS base score for each listed vulnerability.
Problem Code - Provides a link to Common Vulnerabilities and Exposures (CVE) ID and description.
Group - The publishing group (i.e., the package namespace (e.g., maven groupId, npm scope)).
Artifact - The artifact name
Version - The artifact version

Resolving Certificate Errors and the Health Check: Configuration Capability

The RHC service works by performing calls to the following Sonatype data services depending on the Nexus Repository license agreement in use. Network administrators need to allow these URLs through their network firewall to receive updates.

https://rhc-pro.sonatype.com
https://rhc.sonatype.com

Occasionally, administrators run into certificate errors because they are using a firewall proxy server that rewrites the certificate, making it appear untrusted. Resolve the issue by configuring outbound SSL, adding the necessary certificates to the Nexus Repository trust store, and using the Nexus truststore option when configuring the capability.

Modify the Repository Health Check Capability

To manage the existing capability, complete the following steps:

Navigate to Administration → System → Capabilities
Select the Health Check: Configuration type from the Capabilities table
Select Settings
Select Use the Nexus truststore checkbox to allow Sonatype Nexus Repository to manage the SSL certificate of the remote repository
Select Save

Disabling Repository Health Check

Disable RHC through the API.

To learn more, see our API documentation, which you can access via the Nexus Repository user interface under Administration → System → API

Look for DELETE /v1/repositories/{repositoryName}/health-check in the Repository Management section.