Lifecycle XC

Overview

Lifecycle XC (Expanded Coverage) is a new capability of Nexus Lifecycle that utilizes OWASP dependency-check to provide basic coverage for additional languages. Dependency-check is an open-source project used to scan applications and identify the use of known, vulnerable components. The focus of Lifecycle XC is not on being precise, but on leveraging a community project that lets us add basic coverage for a breadth of languages.

Nexus Lifecycle currently has advanced component intelligence for Java, JavaScript, and NuGet / .NET. The addition of Lifecycle XC brings basic-level intelligence to languages like Ruby, Swift, CocoaPods, and PHP. 

Lifecycle XC is supported in IQ Server versions 1.35 and newer.

What Does it Do?

Lifecycle XC provides basic coverage, including reporting vulnerabilities from the National Vulnerability Database (NVD), on languages we have not previously supported. Integrating dependency-check evidence collection allows us to quickly add languages as the community develops them, and provide a bill of materials for identified components and vulnerability data.

Lifecycle XC DoesLifecycle XC Does Not
  • Provide basic security data for vendor, product, and version (NVD only).
  • Include Sonatype enhanced vulnerability information.
  • Perform policy evaluation.
  • Distinguish between external, proprietary, similar, and internally identified or claimed components.
  • Automatically analyze any dependencies.
  • Display available license information for any components.
  • Provide information via Webhooks or REST APIs.

How Does it Work?

The CLI for IQ Server provides the option to run in either normal (Lifecycle) mode or XC mode. The two modes are mutually exclusive. Data collection for identification and vulnerability correlation is provided by the dependency-check analyzers. The results come from unverified public sources, and do not include any Sonatype enriched information. Policy evaluation is disabled due to the uncertainty of identification, quality of vulnerability information, and lack of additional information that is used in policy (e.g. license, popularity). Instead, XC results should be viewed as a bill of materials showing the component identified and the public vulnerability data.

Lifecycle XC (dependency-check) does not resolve dependencies. As a workaround, extract dependencies and place them in a location for scanning.

Use the following paramater in the CLI to run an xc scan:

-xc, --expanded-coverage

For an example XC evaluation, please see the Nexus IQ CLI topic.

What Data Will I See?

When running the CLI in Lifecycle mode, you will continue to see enriched data and detailed reporting in the IQ Server for covered languages. When running the CLI in XC mode, you will see security data in an XC-branded report inside the IQ Server user interface. Lifecycle XC shows basic coverage information regardless if there is advanced support for the language/components being analyzed. 

The table below shows an example of the data you will see when running the CLI in Lifecycle versus XC mode: 

CLI MODELANGUAGEPROCESSINGDERIVED DATAEXAMPLE REPORT
XCPHP
  • Basic name-based matching
  • Vendor, product, and version evidence collection
  • Name
  • CVE severity and CVE identifier

LifecycleJava
  • Precise fingerprint component matching
  • License analysis
  • Sonatype-enriched license research
  • Sonatype-enriched vulnerability research
  • Identity
  • License data / metadata
  • Vulnerability data / metadata
  • Versions
  • Popularity