Table of Contents


Lifecycle component analysis is supported in the following JetBrains IDEs:

Development EnvironmentJava Component AnalysisNode.js Component AnalysisPython Component Analysis
IDEA Ultimate(tick)(tick)
IDEA Ultimate + Python plugin(tick)(tick)(tick)
IDEA Community(tick)

IDEA Community + Python Community plugin(tick)
PyCharm Professional

PyCharm Community


Installing Nexus IQ for IDEA

IntelliJ IDEA is a fully-featured integrated development environment (IDE) used for Java development. WebStorm is an IDE for the JavaScript ecosystem.

Sonatype Nexus IQ plugin is available for download on the JetBrains marketplace or via the Sonatype Plugin Download Link.

IQ for IDEA supports installation via a zip file from disk. Installation is performed similarly to other plugins, using the Settings/Preferences dialog. Click on Plugins from the left-hand pane to expose the option to install the plugin from disk. From there, browse to the plugin zip file and select it.

Remember to restart your IDE before continuing to access the plugin.

Configuring Nexus IQ for IDEA

After the successful installation of IQ for IDEA, the plugin must be configured to connect to IQ Server. The configuration can be accessed via the Settings/Preferences dialog. Expanding Other Settings in the left-hand pane will reveal Nexus IQ. Click on Nexus IQ to set up the plugin for IQ Server.

  • Server URL: Enter the URL of your IQ Server
  • Authentication Method:
    • PKI Authentication: Delegate authentication to the JVM.
    • User Authentication: Enter the username and password your IQ Server Administrator has assigned you.

      You will be prompted for your Master Password (or to set up a Master Password) when saving the Preferences/Settings. This allows IDEA to store your IQ Server password securely.

Once the IQ Server information is provided, click Connect to verify the connection to IQ Server. If it works, select an application from the dropdown. The policies for the application will be used when evaluating your IDE project.

If Connect reports an HTTP error:

  • Check your HTTP Proxy Server configuration. If the IQ Server URL is for an internal hostname, the IQ server host may need to be added to the No proxy for the list of patterns.
  • Verify IQ Server request.log shows that your Connect requests have actually reached IQ Server. If they have, the IQ Server clm-server.log may contain more information.

Using the Component Info View 

The IQ for IDEA tool window can be accessed by clicking the Nexus IQ tab on the bottom tool strip of IDEA. If not accessible from there, it should also be available in View under Tool Windows.

Once configured and the component analysis is completed a component view will look similar to the example is shown in the image below. The list of components will reflect an analysis of the project’s dependencies. For Java projects that include all project libraries. For JavaScript projects, it includes all dependent Node modules. For Python projects, it includes all Python packages installed in the virtual environment associated with the project. For mixed projects, which could combine Java, JavaScript, and Python modules, the component list will contain a mix of Java, JavaScript and Python dependencies, if such dependencies are detected.

By default, all project dependencies are included in the component list. Scope filters can be applied to adjust which components are visible.

The following scopes are available:

  • for Java components: Compile, Test, Runtime, and Provided;
  • for JavaScript/Node components: Production, and Development;
  • for Python components: All (the IDE does not provide enough information to distinguish between production and development packages).

Right-clicking on any component will bring up a menu of actions. All components allow for the following actions: View Details and Find Usages. Maven-based Java components show an extra action: Open Maven POM.

  • View Details will open the details screen providing more context to the component.
  • Find Usages will bring up a list of every module the component is used in. Clicking on a module will bring up the location where the component is declared, which is either a Maven POM file or a package.json file.
  • Open Maven POM will open the Maven POM of the component selected.

Python Components

Many Python components come in several flavors. The same component, identified by name and version, can be built and packaged in several ways, having different sets of attributes and file extensions, and targeting different platforms. For instance, the same package can be found as a TGZ file for Linux and as a ZIP file for Windows. The content of those component flavors is sometimes different, so they could be exposed to different vulnerabilities. For that reason, the IQ for IDEA plugin will display all known flavors of a Python component in a separate side panel, so developers could check each of them individually.

Multi Language Projects

The Nexus IQ plugin for IntelliJ IDEA can detect and analyze components written in different programming languages, within a single project. The project should be organized to follow the JetBrains recommended project structure.

IntelliJ IDEA project structure consists of projects and modules. A project can contain source code, tests, libraries in use, build instructions, and configuration files. It may contain one or more modules. Each module is a collection of project files that serve a single purpose. If no modules are defined for the project, the project itself is considered as a module.

New Modules

At the time of new module creation, select a language e.g. Java and an optional build system e.g. Maven. IntelliJ IDEA will use this language selection to determine the specific features of the IDE that will be available for this module. This is a 1:1 association and works only for a single language.

Modules of existing projects 

When an existing project is imported into IntelliJ IDEA, the IDE detects all the modules it contains and assigns a language to each module. You can modify the module detection and structuring after import by navigating to File > Project Structure.

To maximize the results of Nexus IQ for IDEA component detection in multi-language projects, ensure that each module contains files specific to a single language.


A web application has Node.js frontend and a Maven/Java backend. The project should be organized into at least one Node.js module and at least one Maven/Java module. No module should contain both Java and JavaScript files.

As shown below, Nexus IQ for IDEA detects both Java and JavaScript components.

NOTE: IntelliJ IDEA associates only one language with a module, even if the module contains files of different languages. Nexus IQ for IDEA follows this language association and detects the components of that language only. For e.g. if IntelliJ IDEA has associated Java with a module that contains both Java and JavaScript files, then Nexus IQ for IDEA will detect Java components only.

Troubleshooting Load Components

Java Projects

In Maven or Gradle-based projects, when a project is first opened in the IDE, it is possible that it was not imported for the project type (maven or gradle). The symptom for this condition is an empty External Libraries folder in the Project view:

The project (i.e. its manifest files) must be imported to get the list of External Libraries to appear. For Maven projects, locate the root pom.xml file, right-click, then select Maven → Reload project, or Add as Maven Project, depending on your version of IntelliJ IDEA.

NOTE: For Gradle projects locate the build.gradle file, right-click, then select Reload from disk.

This will convert the project to its proper type which will load the External Libraries:

Now, you can click on the Evaluate Components button and the analyzed components will load in the Nexus IQ Component View. The evaluation results will look something like this:

JavaScript Projects

JavaScript projects must be set up in the IDE as Node projects. This can be configured by navigating to File  Settings...  Language & Frameworks  Node.js and NPM. The paths to the Node interpreter and the package manager must be valid (see below).

Python Projects

The Nexus IQ plugin for IntelliJ IDEA will only scan and evaluate the Python packages associated with projects or modules that are configured in IDEA or PyCharm. Packages associated with projects or modules that are not configured in the IDE will not be detected.

To troubleshoot Python projects, check if:

  1. Python is installed locally on your machine.
  2. Python uses one of the following virtual environments:
    1. virtualenv - more details at:;
    2. Pipenv environment - more details at:;
    3. Poetry environment - more details at:
  3. Your Python project or module is configured in IDEA/PyCharm. The plugin does not perform manifest based file detection.

Migrating to Different Component Versions 

For Java projects, this feature relies on the project being Maven-based. For JavaScript projects, this feature expects that the project is properly set up in the IDE as a Node project and that a package manager is available (i.e. npm, yarn, or pnpm)

If you determine that a component upgrade is required to avoid a security or license issue or a policy violation, after reviewing your component usage, IQ for IDEA can be used to assist you in the necessary refactoring.

The first step to start the migration is to select a newer version for the component in the visualization chart, or by selecting the recommended version. An example is displayed in the image below:

Once you have selected a different version than the one currently used, the Migrate to Selected button will become active. Pressing the button completes the migration from the current component version to the selected component version, by updating the component version in the relevant manifest files.

For Maven-based Java projects, the migration process is able to detect circumstances such as the component being a transitive dependency or versions managed in a property. For JavaScript projects, only direct dependencies can be migrated.

After the migration is completed, the component list will be updated and a component scan will be initiated. You should perform a full build, as well as a thorough test, to determine that you can proceed with the new version in your development.

Typically, smaller version changes will have a higher chance of working without any major refactorings, or adaptations, of your codebase and projects, while larger version changes potentially give you more new features or bug fixes.

Your release cycle, customer demands, productions issues, and other influencing factors will determine your version upgrade choices. You might decide on a multi-step approach, where you do a small version upgrade immediately to resolve current issues and then work on the larger upgrade subsequently to get the benefits of using a newer version. Or, you might be okay with doing an upgrade to the latest available version straight away. Potentially, a combination of approaches in different branches of your source code management system is used to figure out the best way of going forward with the upgrade.

IQ for IDEA and other tools of the IQ Server suite can assist you through the process of upgrading, as well as monitoring, the applications after upgrade completion.

Code Inspections 

Starting with the version 4.3.0 of the plugin, custom code inspections are provided for pom.xml and package.json files. If a component, declared in those files, has critical, severe or moderate policy violations, it gets a code inspection maker attached to it, describing the severity of the violation and providing a link to its corresponding entry in the Component Info view.

Upgrading to IntelliJ IDEA 2020.2 and above 

If you are upgrading to IntelliJ IDEA 2020.2.x and above from IntelliJ IDEA 2020.1.x and below, you will need to install the new Nexus IQ IDEA Plugin version 3.x or above. If you had the Nexus IQ IDEA Plugin 2.x installed on IntelliJ IDEA 2020.1.x and below the Nexus IQ IDEA Plugin 2.x plugin will not be automatically updated or installed when you upgrade to IntelliJ IDEA 2020.2.x and above. Instead, you will need to install the Nexus IQ IDEA Plugin 3.x from the JetBrains marketplace (recommended) or from the Sonatype download site.

You might see a message like this when you start the IntelliJ IDEA 2020.2.x upgrade: