Skip to main content

Lifecycle Quick Start

Use this guide to get IQ Server up and running for the purpose of trying out associated Sonatype Lifecycle or Lifecycle Foundation functionality before installing these solutions in your development environment.

Installing and Starting the IQ Server

Installing the IQ Server is done in a few easy steps - pick a location, download the archived server, and unpack the contents. Since we’re not focused on mimicking a production experience, most laptop and desktop configurations should run IQ Server with no problem. If you are looking to plan for the future, be sure to review the Installation Requirements.

Note

Remember, you'll need Java versions 8 or 11 in order to run IQ Server!

Both Sonatype Lifecycle and Lifecycle Foundation require a license to experience the functionality described in this guide. If you are looking to try or purchase Sonatype Lifecycle, contact us and we’ll be happy to assist.

  1. Create an installation directory in your desired location.

  2. Download the latest version of IQ Server to the installation directory.

    • If you want to install IQ Server with Docker, go to Docker hub.

  3. Extract the tar.gz or .zip file.

  4. Using a command line interface, switch to the nexus-iq-server bundle directory in your installation directory e.g. nexus-iq-server-x.xx.x-xx-bundle.

  5. Run one of the following commands to start IQ Server:

    • Linux or Mac: ./demo.sh

    • Windows: demo.bat

  6. Open IQ Server in a browser using the default URL: http://localhost:8070

  7. Log in using the default Administrator account:

    • Username: admin

    • Password: admin123

  8. Install the required Lifecycle license.

    155616131.png

  9. Change your password using the Admin menu.

    155616132.png

Evaluating Applications

After you install and start the IQ Server, you are ready to evaluate applications. We offer several ways to evaluate applications, for example via our CLI, or one of our many other integrations. For this example, we’ll be evaluating an application through the User Interface (UI). Doing so will transfer the bits to your IQ Server. If you are working on a slower connection, or over a VPN, this means longer analysis times.

If you need a sample application, download the WebGoat project at https://github.com/WebGoat/WebGoat/releases.

For this guide, we suggest using the provided ‘sandbox’ organization and application populated with sample data to get started learning the concepts.

To evaluate an application:

  1. Click Organization & Policies from the side toolbar, then select the sandbox organization and the sandbox application from the sidebar. The file you evaluate is associated with this application.

  2. Go to the Actions menu, and click Evaluate a File.

    155616134.png

  3. In the Evaluate a File dialog:

    • Click Choose File or Browse, select the file to evaluate, and click Open.

    • Select any stage to associate with the evaluation, for example, Build.

    • Click No to prevent sending notifications of policy violations as defined in the policy’s configuration settings.

    • Click Upload to begin evaluating the selected application.

When the evaluation is complete, click View Report to open the Application Composition Report for the evaluated application.

Reviewing Results

Once evaluated, the results of a binary evaluation are displayed in the Application Composition Report, You can view the report by navigating to Reports located in the left navigation bar.

155616135.png

The Application Composition Report is made up of several sections:

  • The Summary section is at the top of the main content area. It shows you the report title, date, and high-level statistics on violation counts, identified component counts, and grandfathered violation counts.

  • The Policy Violations table shows a list of all components found during the scan of the application, with components ordered by worst policy violation. You can sort the table by threat level, policy name, and component name, and filter via the policy name and the component name.

  • The Filter button on the top right of the Summary and Policy Violations table allows you to customize your view by filtering on proprietary components, InnerSource components, component match state, violation state, dependency type, policy types and policy threat level. The Aggregate by component toggle lets you switch to and fro from an aggregated view.

  • The Vulnerabilities List can be accessed via the Options menu. This shows you an overview of all the security vulnerabilities that triggered policy violations. Detailed information on a given vulnerability can be accessed by clicking the vulnerability ID, which links to the corresponding Vulnerability Lookup page.

Investigating and Remediation Violations

In the Application Composition Report, you can drill down to learn specific details about a violation. From the Policy Violation table, click an individual component to open the Component Details Page.

155616136.png

To get you started using the Component Details Page, take a look at these sections:

  • Component Info - In the graph on the Overview tab, move the vertical bar to learn the differences between versions of a component.

  • Policy Violations - Click the View Existing Waivers button to check if this violation has been waived.

  • Security - Review all security violations and vulnerabilities found in the application composition report. You can customize the vulnerability details, view Applicable Waivers and add a new waiver (needs permissions).

  • Legal - Track your research about a particular license, review obligations, and edit details like attribution summary, if using the Advanced Legal Pack.

  • Labels - View existing and available labels for this component. You can set policies based on the component label.

  • Audit Log - Click on this tab to review the changes that were logged for this component.

When an investigation is complete, it’s time to begin remediation. In general, policy resolution can be achieved by completing one of the following tasks:

  • Upgrade to a non-vulnerable version of the same component. This option is most recommended because it is generally the easiest path to resolution and reducing your risk.

  • Select a new component that does not contain the violation. If you’re not able to upgrade your component, the next step is to select a similar component without the violation. This option involves research because you’re looking for a replacement component that provides the same functionality while ensuring it’s not exploitable.

  • Request a waiver for the policy violation. If you can’t upgrade or migrate, the next option is to request a waiver. Send a waiver request to the Project Owner with enough information for a determination to be made. Applying a waiver assumes a certain amount of technical debt, and does not fix the violation. Because of this, it should be used judiciously.