Sonatype for Visual Studio 2022
Sonatype’s Integrated Development Environments (IDE) extensions provide development teams with direct access to Sonatype's comprehensive component intelligence. The Visual Studio 2022 extension enables a true Shift-Left in application security for development teams by putting security into the development workflow, allowing developers to build secure applications quickly.
Sonatype for Visual Studio 2022 Extension provides component analysis for both the Community, Professional, and Enterprise versions of Visual Studio.
The Sonatype for Visual Studio 2022 extension is available on the Visual Studio Marketplace.
New functionality in Visual Studio 2022
The Sonatype for Visual Studio 2022 extension has complete parity with the previous IQ for Visual Studio 2019 plugin. Expanded and new features found only in this version are listed in the Supported Features section.
Requirements
Project Reference Managers
Projects will need to be opened using a PackageReference or the older packages.config format to be analyzed.
External Libraries
At this time, the extension only supports the locally installed project cache libraries.
Installing Sonatype for Visual Studio 2022
IQ for Visual Studio 2022 can be installed from within Visual Studio using the Extensions Manager or via the Visual Studio Marketplace.
Opening Sonatype for Visual Studio 2022
You can access the extension by navigating the menu for View -> Other Windows -> Sonatype
Configuring Sonatype for Visual Studio 2022
The Sonatype IQ options are available from within the Visual Studio options dialog.
Authorization using IQ Server Credentials
A URL, Username, and Password may be entered to connect the extension to fetch data from the IQ Server. The Connect button is used to verify the connection:
 |
Select the appropriate application as configured in the Sonatype IQ server. This is required to use the appropriately scoped policy set for your application.
Using Certificate Authentication
The extension supports using a certificate for authentication.
Clicking the Select button, next to the Certificate field, will open a security dialog. By selecting a certificate, typed credentials will empty out and the certificate will be used for authentication. To revert and use typed credentials, fill in the username and password fields.
 |
Windows Security prompt will display options from the Personal Certificates store. Managing this store is accomplished by using MMC and the Certificates Snap-In. To provide additional choices, right-click the Certificates folder and follow the prompts to install a certificate. Note: Ensure the Trusted Root Certificate Authorities store contains a record for the IQ Server reverse proxy.
 |
Restarting Visual Studio and the Sonatype for Visual Studio extension will open a certificate prompt to establish a secure connection.
Using Sonatype for Visual Studio 2022
The Sonatype for Visual Studio tool window is accessed by clicking the Sonatype Developer tab on the bottom tool strip of Visual Studio. It is also available in View under Other Windows.
Once configured and the component analysis is completed, a component view will be displayed. Component versions and details are available by clicking on the component name in the Component list.
 |
Review the Component Info View for details on the returned Policy Threat levels.
Supported Features
Extension Management Icons
Configuration: The configuration is managed under the gear icon on the left-hand side of the extension window.
Running Analysis: To run or refresh the analysis you can click on the play button next to the configuration. Allow for a few minutes for the analysis to complete.
Filter Results: The filter icon allows you to focus on a specific set of results. See details below.
Sorting: By default, the component list is not sorted but you can sort the result by clicking on any of the table headers.
Migrate to Selected
The "Migrate to Selected" button allows you to update your project dependencies for any Nuget direct dependencies without leaving the extension. The button will remain disabled until a supported version upgrade has been selected. Currently, npm components and transitive dependencies are not supported. Likewise, the button will be greyed out for the currently installed version.
Component Dependency Types
The components in the component display are labeled with the [D] and [T] prefixes to denote Direct and Transitive dependencies respectively. Transitive dependencies are the components brought into the application from the project's directly referenced dependencies.
Find Usage
Right-clicking a component from the components display shows the context menu. The option to 'Find Usage' will display the projects from which the component is requested. This is useful for multi-module projects to know which project was referencing this dependency.
 |
Selected Component Details
The selected component from the component display includes a button to access more details regarding the violations associated with the component. The opened window includes; Policy Violations, License Analysis, and Security Issues. Known CVEs are listed as Problem Codes that are linked to violation details in the IQ Server.
 |
Component Filter
The component filter is accessed to the left of the component display. This filter is used to sort the list of components to the component's dependency type or the severity of the component's highest violation.
 |
Support for both Light and Dark Themes
The extension is compatible with either Light or Dark themes found in Visual Studio 2022. The Blue theme will render the same as the Light theme.
 |