Searching for Components in Nexus Repository 2

In the left-hand navigation area, there is an Artifact Search text field next to a magnifying glass. To search for a component by groupId or artifactId, type in some text and click the magnifying glass. Typing in the search term junit and clicking the magnifying glass should yield a search result similar to Figure 5.18, “Results of an Artifact Search for 'junit'”.

Figure 5.18. Results of an Artifact Search for 'junit'

The groupId in the Group column and the artifactId in the Artifact column identify each row in the search results table. Each row represents an aggregation of all components in this Group and Artifact coordinate.

The Version column displays a link to Show All Versions, which triggers a search for the specific group and artifact.

The Most Popular Version column displays the version that has the most downloads by all users accessing the Central Repository. This data can help with the selection of an appropriate version to use for a particular component.

The Download column displays direct links to all the components available for the latest version. A typical list of downloadable components would include the Java archive jar, the Maven pom.xml file pom, a Javadoc archive javadoc.jar and a Sourcecode archive sources.jar, but other download options are also added if more components are available. Click on the link to download an component.

Each of the columns in the search results table can be used to sort the table in Ascending or Descending order. In addition, you can choose to add and remove colums with the sort and column drop-down options visible in Figure 5.19, “Sort and Column Options in the Search Results Table”.

Figure 5.19. Sort and Column Options in the Search Results Table

The repository browser interface below the search results table will displays the component selected in the list in the repository structure with the same information panels available documented in Browsing Repositories. An component could be present in more than one repository. If this is the case, click on the value next to Viewing Repository to switch between multiple matching repositories.

Clicking on the (Show All Versions) link in the Version column visible in Figure 5.18, “Results of an Artifact Search for 'junit'” will initiate an Advanced Search by the groupId and artifactId of the row and result in a view similar to Figure 5.20, “Advanced Search Results for a GAV Search Activated by the Show All Versions Link”.

Figure 5.20. Advanced Search Results for a GAV Search Activated by the Show All Versions Link

The header for the Advanced Search contains a selector for the type of search and one or more text input fields to define a search and a button to run a new search with the specified parameters.

The search results table contains one row per Group (groupId), Artifact (artifactId), and Version (version).

In addition, the Age column displays the age of the components being available on the Central Repository. Since most components are published to the Central Repository when released, this age gives you a good indication of the actual time since the release of the component.

The Popularity column shows a relative popularity as compared to the other results in the search table. This can give you a good idea on the adoption rate of a new release. For example, if a newer version has a high age value but a low popularity compared to an older version, you might want to check the upstream project and see if there is any issues stopping other users from upgrading that might affect you as well. Another reason could be that the new version does not provide signifcant improvements to warrant an upgrade for most users.

The Security Issues column shows the number of known security issues for the specific component. The License Threat column shows a colored square with blue indicating no license threat and yellow, orange and red indicating increased license threats. More information about both indicators can be seen in the Component Info panel below the list of components for the specific component.

The Download column provides download links for all the available components.

The following advanced searches are available:

Keyword Search

Identical to the Artifact Search in the left-hand navigation, this search will look for the specified strings in the groupId and artifactId.

Classname Search

Rather than looking at the coordinates of an component in the repository, the Classname Search will look at the contents of the components and look for Java classes with the specified name. For example, try a search for a classname of Pair to see how many library authors saw a need to implement such a class, saving you from potentially implementing yet another version.

GAV Search

The GAV search allows a search using the Maven coordinates of a component. These are Group (groupId), Artifact (artifactId), Version (version), Packaging (packaging), and Classifier (classifier). At a minimum you need to specify a group, component or version in your search. An example search would be with a component guice and a classifier no_aop or a group of org.glassfish.main.admingui and a packaging war. The defaultpackaging is jar, with other values as used in the Maven packaging like ear, war, maven-plugin, pom, and ejb.

Checksum Search

Sometimes it is necessary to determine the version of a jar component in order to migrate to a qualified version. When attempting this and neither the filename nor the contents of the manfiest file in the jar contain any useful information about the exact version of the jar, you can use Checksum Search to identify the component. Create a sha1 checksum, e.g., with the sha1sum command available on Linux or fciv on Windows, and use the created string in a checksum search. This will return one result, which will provide you with the GAV coordinates to replace the jar file with a dependency declaration.

Metadata Search

Search for components with specific metadata properties is documented in Searching Artifact Metadata.

Available in Nexus Repository Pro only

To search for components with specific metadata, click on the Advanced Search link directly below the search field in the Artifact Search submenu of the main menu. This opens the Search panel and allows you to select Metadata Search in the search type drop-down as shown in Figure 5.21, “Searching Artifact Metadata”.

Figure 5.21. Searching Artifact Metadata

Once you select the metadata search you will see two search fields and an operator drop-down. The two search fields are the key and value of the metadata for which you are searching. The operator drop-down can be set to Equals, Matches, Key Defined, or Not Equal. Equals and Not Equals compare the value for a specific key. Matches allows the usage of * to allow any characters. E.g., looking for tr* would match true but also match tree. The Key Defined operator will ignore any value provided and return all components with the supplied key.

Figure 5.22. Metadata Search Results for Custom Metadata

Once you locate a matching component in the results list, click on the component and then select the Artifact Metadata tab to examine an components metadata as shown in Figure 5.23, “Metadata Search Results for Custom Metadata”.

Figure 5.23. Metadata Search Results for Custom Metadata

Available in Nexus Repository Pro only

The following example details how you can analyze security issues of a component and determine a solution with the help of information available in the repository manager.

You noticed the component with the Group org.springframework, the Artifact spring-beans and Version 2.5.4. Upon further inspection of your software build and the components used, you can confirm that this component is indeed part of your shipping software. You might have discovered the need to investigate this initially by performing a repository health check or an external resource such as a security mailing list.

A GAV search for the component allows you to inspect the Component Info tab for the component displayed in Figure 5.24, “GAV Search Results for org.springframework:spring-beans and Component Info Tab for Version 2.5.4”.

Figure 5.24. GAV Search Results for org.springframework:spring-beans and Component Info Tab for Version 2.5.4

For example, after reading the summary and inspecting the entries for the security issues in the security databases linked in the Problem Code column, you decide that these issues affect your software and a fix is required. In order to determine your next steps you search for all versions of the spring-beans component. As a result you receive the list of all versions available partially displayed in Figure 5.25, “Viewing Multiple Versions of org.springframework:spring-beans:x”. The Security column in the search results list displays the count of two security issues for the version 2.5.4 of the library.

Figure 5.25. Viewing Multiple Versions of org.springframework:spring-beans:x

Looking at the Security Issues column in the results allows you to determine that with the upgrade of the library to version 2.5.6.SEC02 the count of security issues drops to zero. The same applies to version 2.5.6.SEC03, which appears to be the latest version of the 2.x version of the component. In addition, the table shows that early versions of the 3.x releases were affected by security issues as well.

With these results, you decide that an immediate update to version 2.5.6.SEC03 will be required as your next step. In the longer term an update to a newer version of the 3.x or even 4.x releases will follow.

The necessary steps to upgrade depend on your usage of the spring-beans library. A direct usage of the library will allow you to upgrade it directly. In most cases, this will require an upgrade of other SpringFramework libraries. If you are indirectly using spring-beans as a transitive dependency, you will need to figure out how to upgrade either the dependency causing the inclusion or override the version used.

The detailed measures depend on the build system used, but in all cases you now have the information at your hands detailing why you should upgrade and what to what version to upgrade to. Nexus IQ Server offers tools for these migration efforts as well as various ways to monitor your development for security, license, and other issues.

The following example details how you can analyze a license issue of a component found in your repository health check and determine a solution with the help of information available in the repository manager. The same need for investigation might have been triggered by external means such as a need to do a legal review of all components as part of your release components and the requirement to manage a comprehensive bill of materials.

Your repository health check detail report indicated that Hibernate 3.2.7.ga might have issues due to its Threat Level declared as Non-Standard. Looking at your software components you found that you are indeed using this version of Hibernate. Searching for the component in the repository manager provides you with the search results list and the Component Info tab for the specific version displayed in Figure 5.26, “Viewing License Analysis Results for Hibernate”.

Figure 5.26. Viewing License Analysis Results for Hibernate

The Component Info tab displays the declared license of Hibernate is the LGPL-3.0 license. Contrary to that, the licenses observed in the source code include Apache-1.1, Apache-2.0, LGPL-2.1, LGPL and Non-Standard.

Looking at newer versions of Hibernate you find that the observed license in the source code changed to Not-Provided. Given this change you can conclude that the license headers in the individual source code files were removed or otherwise altered and the declared license was modified to LGPL-2.1.

With this information in hand you determine that you will need to contact your lawyers to figure out if you are okay to upgrade to a newer version of Hibernate to remedy the uncertainty of the license. In addition, you will need to decide if the LGPL-2.0 is compatible with the distribution mechanism of your software and approved by your lawyers.