Lifecycle for Developers Quickstart
In this guide, we’ll go over what the Sonatype Lifecycle solution is and how it helps you select better components and build better software, faster. We’ll give you some great tips to get started integrating Lifecycle into your environment, helping you add component intelligence to your everyday workflow.
Build Better Applications with Sonatype Lifecycle
Sonatype Lifecycle acts as the brain for an organization implementing component lifecycle management. In Lifecycle, you’ll find a platform that provides functionality for managing policy, reviewing component and application information, and using our integrations to evaluate applications and repositories.
The Sonatype Platform helps you make informed decisions when selecting components for your projects. By making smart dependency choices up-front, you can focus on your own innovation and let the Sonatype Platform ensure that the elements of your software come from well-maintained, appropriately licensed, and security-conscious projects.
NOTE: The Advanced Development Pack (ADP) has been integrated into the general Lifecycle product. These changes are accessible with IQ Server version 100 and above. For users with IQ Server versions between 100 and 134, your admin may need to re-upload your organization’s existing Lifecycle license or restart the IQ Server to see these additional capabilities.
Sonatype Lifecycle’s developer features provide development teams with an automated, policy-based dependency management solution. This enables teams to take a more proactive approach to security in their products, resulting in less oversight from external teams and more confidence in their projects, all without losing the momentum of agile development. The enhanced features include:
- Recommendations for incompatible code with Breaking Changes
- Dependency insight with the Transitive Solver
- Suspicious package detection with Release Integrity
- Guidance on selecting quality components with Hygiene Ratings
These capabilities provide numerous benefits, including the following:
- Less rework and maintenance. A higher-quality selection of components means teams gain a better understanding of what fits organizational policy requirements.
- Ease of upgrading. Using Sonatype’s recommendations and single-click migrations will lead to a decreased level of effort when upgrading to the next best OSS component.
- Improved project quality. Your team will receive early warning of suspicious behavior in code and gain access to components from the best suppliers.
- Increased bandwidth. Less time spent researching quality OSS components means that teams will have more time to innovate.
Let’s take a look at each feature in more depth.
Breaking Changes is currently only available for the Maven ecosystem.
Sonatype data service monitors Maven libraries for any changes in class types, function/method parameters, return types etc. and reports these as breaking changes. Selecting a component with breaking change may require you to make changes in the application code to prevent failures.
This feature helps you understand if incompatible code is introduced in the upgrade path of a component. Knowing when incompatible code — or breaking changes — is introduced helps you determine if an upgrade path is a simple version upgrade or if more complex code changes are required.
When there are no breaking changes between two versions of a component, there should be little effect on the code of the application itself — you should be able to simply upgrade to the new version of the component and move on. These types of fixes can be prioritized over fixes that might require additional development work. Better yet, if there are no coding changes required, the fix can be automated. Knowing the level of effort that might be required to upgrade to a version that fixes the violation helps you properly prioritize and plan for the work to be done at the appropriate time.
Accessible on the Component Details page, Transitive Solver is a set of recommendation strategies that provides insight into a component’s known dependencies. It shows you the link between a transitive and its direct dependency and then helps you quickly focus on what to fix first and how. By providing a recommendation for the direct dependency and its transitive(s), you can be more effective at mitigating risk within your application.
- Next version with no policy violations with dependencies
- Recommends the next version of the component that does not have transitive dependencies that cause violations.
- Next version that does not fail a build with dependencies
Recommends the next version of a component that will not fail a build and takes into account the transitive dependencies.
The Transitive Solver currently works on components from the Maven ecosystem only.
If you experience challenges with seeing Transitive Solver recommendations, please refer to this Knowledge base article.
The Release Integrity feature automatically detects risky component version releases by monitoring activity in the software supply chain, detecting suspicious behavior and flagging affected releases as such.
Sonatype uses machine learning automation to rapidly detect these suspicious releases at scale, letting us create an early-warning system for potentially harmful packages. This automation enhances our security research by providing a new feed of potentially malicious packages to research. This helps us protect our customers by enabling you to stop these components from infecting your development environments using Sonatype Firewall before it’s too late.
Component versions with detected abnormal behavior will be rated as “Suspicious” in red on the Component Details page.
Bad actors are attacking the software supply chain by injecting malicious code into, or hijacking, legitimate projects that you might be using today. When this happens, upgrading to a newer version of a compromised project might infect your applications or systems without you realizing anything changed.
Release Integrity can detect suspicious packages that use techniques designed to trick you into adding them to your applications such as Typosquatting. Users can write policy against the Integrity Rating of a component, allowing suspicious components to be blocked at the Sonatype Firewall and also brought to a developer’s attention in their Integrated Development Environment (IDE). Because Release Integrity can do this analysis quickly with machine learning automation, even the newest malicious package releases can be blocked early.
Health & Hygiene provides data to help ensure you are only using open source components from the best suppliers. This leads to an increase in the quality of your applications and reduces your risk of productivity loss. A supplier in this case is a project that produces the components that are consumed in your applications, such as Spring Framework or Log4j.
A Hygiene Rating is used to summarize the health of a supplier:
- Exemplary suppliers are those that exhibit behaviors we’ve identified as important to producing quality open source software (State of the Software Supply Chain Report, 2021) within their ecosystem.
- Laggards are the opposite end of this spectrum and should be avoided where possible.
- Neutral suppliers lack any significant positive or negative behaviors.
Sonatype Integrations for Developers
Integrating with Sonatype Lifecycle provides an easy way to add component intelligence to your development process and build better applications. Whether it’s viewing component information in your IDE, or adding evaluation results to your Jenkins builds, developers can use Lifecycle data to be more efficient at their jobs — without sacrificing speed and reliability.
The Sonatype Integrations team works hard to make sure developers have a great experience with Lifecycle. They want to make your job easier, and they’ve come up with some great integrations and plugins to help you do just that.
Sonatype Intelligence in your IDE
For developers, Sonatype Lifecycle IDE integrations are designed to work in an environment you’re familiar with. Immediate feedback on component quality, including architectural, licensing, and security information, is available right in your IDE, letting you make informed decisions about component selection.
This means you can proactively make changes and choose better components before any build warnings or failures. Our IDE integrations let you quickly vet components used in an application against your organization’s open-source policies, greatly reducing time wasted with complicated and exhaustive research. The graphic and information below provide an example of the data you’ll have access to with an IDE and Lifecycle integration:
|Component List. This is where you will see a list of components found in your project and identified by their artifact identifier and version number. The color indicator signals potential violations (red=severe, orange=medium, yellow=low, blue=none). Components with a darker font indicate that they are direct dependencies included in your application. Components brought in via a transitive dependency are displayed with a lighter font.|
|Recommended Versions. The recommended version is based on the availability of a newer version of the same component that does not violate any configured policies for the application. If such a version exists, a hyperlink is displayed with the suggested version. Clicking on the link will select the recommended version in the version graph and populate the version details with information about this version. For more information, see our help docs on IDE Recommended Versions.|
|Version Graph. Shows various properties for different available versions of the selected component. Older versions are displayed on the left and newer versions on the right. Arrows to the left and right of the graph let you view the full range of available versions. Click on any section in the graph, and all information for that particular version is displayed. For more information, see our help docs on the IDE Component Info View.|
|Version Details. Displays details of the selected component and version. Details include: component identifiers (differs depending on the language), version, overridden license, declared license, observed license, highest policy threat, highest security threat, age, identification source, and link to the project website (if available). For more information, see our help docs on the IDE Version Details.|
|View Details and Migrate buttons. The View Details button opens a dialog showing you a list of all the policies that have been violated by the component; the threat levels posed by the licenses declared for each component, as well as those that have been observed in the source code; and a list of security issues found. When you select a different, non-vulnerable version than the one currently used, the Migrate button becomes active. Pressing the button opens a dialog that assists you in the migration to the newer component.|
View Evaluation Results in Source Control Management
Sonatype Lifecycle for Source Control Management (SCM) is a set of features that enables developers to get early insight into code changes. We do this by working in tandem with continuous integration (CI) to push policy information about an application’s components directly into SCM.
Sonatype Lifecycle for SCM has the following features:
- Automated commit feedback: Sonatype Lifecycle for SCM puts the information needed to quickly remediate vulnerabilities in software solutions at the fingertips of developers by pushing policy evaluation information into SCM commits and pull requests (PRs), where developers work.
- Automated pull requests: Sonatype Lifecycle for SCM will automatically create pull requests for policy violations on components that have an available version which remediates those violations.
- Pull request commenting: Sonatype Lifecycle for SCM adds a comment to pull requests for repositories configured for source control when the PR introduces a new policy violation.
To use Sonatype Lifecycle for SCM, first, configure Lifecycle to allow access to the company’s Source Control Management platform. For large organizations, we recommend enabling automatic source control which lets CI and CLI integrations configure application source control connections when running from a locally cloned repository (a common practice in CI systems).
Once configured, commits will immediately receive automated commit feedback.
Clicking the Details link, or Status opens the Lifecycle Application Evaluation report. There, you’ll see the current version used, and other vulnerable and non-vulnerable versions, of that component.
When Lifecycle for SCM is enabled and appropriately configured, applications will also start seeing automated pull requests for any new policy violations with suggested remediation.
Automatically Create Tickets with the Jira Plugin
The Sonatype Lifecycle Jira Plugin lets you automate the creation of Jira tickets for policy violations, allowing development teams to focus on application security. The plugin uses a Lifecycle webhook violation event to trigger the creation of tickets whenever new violations occur. When an issue is found, a Jira ticket is created in the linked application, and automatically creates a ticket per component.
For programmers, this means that you can easily find and triage policy violations with a tool that you‘re already using for story tracking and bug fixes.
Block Bad Components with Sonatype Firewall
Sonatype Firewall automatically quarantines components that violate policy, preventing quality issues from entering the software you’re developing. This process immediately reduces risk and avoids wasteful rework down the line.
Firewall works by providing Audit and Quarantine features that give you a way to protect your development environment from risky or undesirable components. When Audit is enabled, adding and deleting components to a proxy repository causes your Repository Manager to contact IQ Server and evaluate the components within the proxy repository. If violations are found, they’re summarized in your Repository Manager and then detailed in IQ Server.
For example, in Nexus Repository 3, the results of an audit are summarized in the IQ Policy Violations column of the Repositories view as shown in the image below.
Here, you’ll see (1) a count of components by their highest violation level, (2) a count of quarantined components, and (3) a link to Repository Results on IQ Server.
For more information, see our help docs on Lifecycle and Repository Management.
Evaluate Scan Results in your CI Server
Sonatype Lifecycle can analyze the components used in your software development for security and license characteristics. When integrated with a continuous integration server, it becomes a dynamic analysis performed on a regular basis, occurring potentially with each build running on the server.
The Sonatype Platform Plugin for Jenkins scans a build workspace for components, creates a summary file about all the components found, and then submits that file to Lifecycle for a detailed policy evaluation. A report is generated containing a detailed analysis of security and license information, and a summary of that report is sent back to the Jenkins server to be included in the build results. The link to the detailed evaluation report can be followed from the Jenkins UI.
Sonatype also has integrations with other CI servers, like Bamboo, Azure DevOps, and GitLab CI. All of our CI tools allow you to perform full security and license analysis of the artifacts produced by the configured build backed by Sonatype Lifecycle, and easy access to the application composition report.
For more information, please see our help documentation on Lifecycle and Continuous Integration.
Inspect Packages with the Chrome Extension
The Sonatype Lifecycle Chrome Extension lets you inspect a package before you download it. The plugin requires a valid Sonatype Lifecycle license. Once the plugin is installed on your Chrome browser, you can scan packages from several repositories like Maven, npm, Nuget, and PyPi, just to name a few.
With the Chrome Extension, you’ll have access to Lifecycle data like component info (format, package, version), security (severity, source, threat category, reference details), licensing (declared and observed), and most importantly, remediation (version history, recommended version).
For more information, please see the Sonatype Lifecycle Chrome Extension project on GitHub.
Scan Projects with our Community Tools
OSS Index provides comprehensive ecosystem support and makes it easy to get started incorporating security data into your favorite toolchain and workflow thanks to a growing list of community integrations. The following open-source scanning tools are available for analysis in your development environment:
- Nancy scans Golang projects for vulnerable third-party dependencies.
- Chelsea is a CLI application written in Ruby, designed to allow you to scan your RubyGem-powered projects and report on any vulnerabilities in your third-party dependencies.
- Jake is a tool to check for vulnerabilities in your Conda environments, powered by Sonatype OSS Index, that can also be used with Sonatype’s Lifecycle.
To learn more about how you can integrate open-source vulnerability information across your development toolchain with pre-built tools and applications, see our OSS Index Integrations page.
As you can see, Sonatype provides many ways that you can add component intelligence to your development workflow. As a first step, we recommend setting up your IDE integration. This will let you view component information, and recommended versions, and even migrate and remediate fixes, all in the environment you are already using.
We have IDE integrations with IDEA, Eclipse, and Visual Studio. Please check out our IDE integration help docs to get started.
Visit Using Sonatype Lifecycle in Your IDE and Dynamic Developers: Becoming the Strongest Link in Your Supply Chain for interactive courses about this topic.