Lifecycle XC (Expanded Coverage) is a new capability of Nexus Lifecycle that utilizes OWASP dependency-check to provide basic coverage for additional languages. Dependency-check is an open-source project used to scan applications and identify the use of known, vulnerable components. The focus of Lifecycle XC is not on being precise, but on leveraging a community project that lets us add basic coverage for a breadth of languages.
Lifecycle XC is supported in IQ Server versions 1.35 and newer.
What Does it Do?
Lifecycle XC provides basic coverage, including reporting vulnerabilities from the National Vulnerability Database (NVD), on languages we have not previously supported. Integrating dependency-check evidence collection allows us to quickly add languages as the community develops them, and provide a bill of materials for identified components and vulnerability data.
|Lifecycle XC Does||Lifecycle XC Does Not|
How Does it Work?
The CLI for IQ Server provides the option to run in either normal (Lifecycle) mode or XC mode. The two modes are mutually exclusive. Data collection for identification and vulnerability correlation is provided by the dependency-check analyzers. The results come from unverified public sources, and do not include any Sonatype enriched information. Policy evaluation is disabled due to the uncertainty of identification, quality of vulnerability information, and lack of additional information that is used in policy (e.g. license, popularity). Instead, XC results should be viewed as a bill of materials showing the component identified and the public vulnerability data.
Lifecycle XC (dependency-check) does not resolve dependencies. As a workaround, extract dependencies and place them in a location for scanning.
Use the following paramater in the CLI to run an xc scan:
For an example XC evaluation, please see the Nexus IQ CLI topic.
What Data Will I See?
When running the CLI in Lifecycle mode, you will continue to see enriched data and detailed reporting in the IQ Server for covered languages. When running the CLI in XC mode, you will see security data in an XC-branded report inside the IQ Server user interface. Lifecycle XC shows basic coverage information regardless if there is advanced support for the language/components being analyzed.
The table below shows an example of the data you will see when running the CLI in Lifecycle versus XC mode:
|CLI MODE||LANGUAGE||PROCESSING||DERIVED DATA||EXAMPLE REPORT|