Skip to main content

Repository Health Check

Note

As of release 3.55.0, those who have enabled IQ Server under Administration → IQ Server and have Sonatype Repository Firewall as a feature on that IQ Server instance will not see Repository Health Check in their Sonatype Nexus Repository instance. Firewall is a much more fully featured tool for identifying security risks in your repositories. Learn more about Sonatype Repository Firewall on sonatype.com.

What is Repository Health Check?

Repository Health Check (RHC) allows Sonatype Nexus Repository users to identify open source security risks in proxy repositories at the earliest stages of their DevOps pipeline by providing the following key capabilities:

  1. A summary of components with security vulnerabilities categorized by severity.

  2. A count of license warnings per component categorized by severity.

  3. A detailed RHC report that identifies specific artifacts and threats. PRO

Note

RHC is only available for proxy repositories in Go, Maven, npm, NuGet, PyPI, RubyGems, and Yum formats.

Using Repository Health Check

To use RHC, sign in as an administrator to your Nexus Repository instance and follow these steps:

1. Navigate to the Administration section by selecting the gear icon in the top bar on the user interface.

2. Under the Repositoryoption in the left-hand menu, selectRepositories to navigate to the repository management screen.

On this screen, you will see a table with a Health Check column. If a RHC has already been run on a repository, you will see two icons with numbers: the shield icon and number show the number of security vulnerabilities identified; the ribbon icon and number show the number of license warnings identified. If RHC is not enabled on a repository, you will see an Analyze button.

3. Select the Analyze button to enable RHC on a repository.

4. A dialogue box will appear and offer you the option to enable RHC on all supported repositories or just the one you've selected. Select either Yes, all repositories or Yes, only this repository to enable RHC for the selected or all repositories. Select No if you wish to cancel.

5. An Analyzing... status will appear in the Health Check column as the scan runs.

Note

The initial scan will take some time, and the resulting report will initially appear blank. Enabling RHC automatically creates and schedules a System - Repository Health Check task for each repository on which you have enabled RHC. This task runs every hour to see if it is time to return a new report; however, it will only return a new report every 24 hours regardless of how often you run the task. Manually running the task will not update the report.

6. Once the scan completes, hover over the Health Check column entry for a given repository to see summary report.

108960139.png

For new repositories, the table will initially appear blank. As users download assets, data will gradually fill out the summary over time.

Note

The report populates once every 24 hours. See the Age field in the summary to see how long it has been since the report populated.

This summary report displays the following information:

  • In the upper section, you will see the following:

    • A green donut chart showing how many components Nexus Repository recognizes.

    • A FOR field tells you for which repository this report was run.

    • The ON field tells you exactly when the check was run.

    • The AGE field tells you the data's age.

  • In the main Issue Summary section, you will see the following:

    • A Security Vulnerabilities column displays a count of the components with critical (7-10), severe (4-6), and moderate (1-3) vulnerabilities. The scoring is standardized on a 1-10 scale based on the Common Vulnerability Scoring System (CVSS) version 2; if a component has multiple vulnerabilities, only the highest will be included in this count.

    • A License Warnings column displays a count of the components with the following license warnings:

      • Copyleft - Component with a copyleft license (e.g., GPL).

      • Non-Standard - Component with a license Nexus Repository does not recognize.

      • Not Provided - Project did not declare a license.

      • Weak Copyleft - Similar to copyleft; however, not all derived works inherit the copyleft license.

      • Liberal - Component using a license with little limitation.

Detailed Repository Health Check Report

If you’re running Sonatype Nexus Repository Pro, select the View Detailed Report button to access the detailed RHC report. PRO

When you initially load the report, it will show the Artifacts view.

detailed_repository_health_check.png

When View By Artifacts is selected, the detailed report shows the same information as the summary along with a table displaying the following additional data:

  • License Threat - Highlights the license with the highest potential risk for a given component.

  • Declared License - The licenses provided by the publishing project.

  • Observed Licenses in Source - Licenses Sonatype services identified through source analysis for supported formats.

  • Group - The publishing group (i.e., the package namespace (e.g., maven groupId, npm scope)).

  • Artifact - The artifact name.

  • Version - The artifact version.

  • Security Issues - Highlights the severity and number of known security vulnerabilities; severity (based on the CVSS) is indicated via color (red = critical (7-10); orange = severe (4-6); yellow = moderate (1-3)) while number is indicated by the number of triangle icons in the column.

From the View By drop-down menu, you can also select the Vulnerabilities option.

113247539.png

From this view, the detailed report shows the following information:

  • Threat Level - Highlights the CVSS base score for each listed vulnerability.

  • Problem Code - Provides a link to Common Vulnerabilities and Exposures (CVE) ID and description.

  • Group - The publishing group (i.e., the package namespace (e.g., maven groupId, npm scope)).

  • Artifact - The artifact name.

  • Version - The artifact version.

Resolving Certificate Errors and the Health Check: Configuration Capability

The RHC service works by performing calls to https://rhc-pro.sonatype.com or https://rhc.sonatype.com/ depending on whether you are running Sonatype Nexus Repository Pro (licensed) or OSS. Network administrators should make sure their firewalls allow these URLs through.Occasionally, administrators run into certificate errors because they are using a firewall proxy server that rewrites the certificate, making it appear untrusted.

If you run into this issue, you can often resolve it by configuring outbound SSL, adding necessary certificates to the Nexus Repository trust store, and selecting the Use the Nexus truststore option when configuring the Health Check: Configuration capability.

This capability is automatically created if you select Yes, all repositories when enabling RHC on a repository. You can also manually configure this capability if you've selected Yes, only this repository instead.

To create this capability, take the following actions:

1. Navigate to AdministrationSystemCapabilities.

2. Select Create capability.

3. Select the Health Check: Configuration type.

4. The Enable this capability and Configure for all proxy repositories checkboxes are automatically selected; unselect the Configure for all proxy repositories if desired.

5. Select the Use the Nexus truststore checkbox to allow Sonatype Nexus Repository to manage the SSL certificate of the remote repository; learn more in the Repository Management section. See Configuring SSL for more information on configuring outbound SSL.

113248391.png

6. Select Create capability.

To manage the existing capability, complete the following steps:

1. Navigate to AdministrationSystemCapabilities.

2. Select the Health Check: Configuration type from the Capabilities table. The summary view displays.

3. Select Settings.

4. Select the Use the Nexus truststore checkbox to allow Sonatype Nexus Repository to manage the SSL certificate of the remote repository; learn more in the Repository Management section. See Configuring SSL for more information on configuring outbound SSL.

5. Select Save.

Disabling Repository Health Check

The best way to disable RHC is through the API.

To learn more, see our API documentation, which you can access via the Nexus Repository user interface under AdministrationSystemAPI.

Look for DELETE /v1/repositories/{repositoryName}/health-check in the Repository Management section.