Nexus Lifecycle Quick Start
Use this guide to get IQ Server up and running for the purpose of trying out associated Sonatype Lifecycle or Lifecycle Foundation functionality before installing these solutions in your development environment.
Installing and Starting the IQ Server
Installing the IQ Server is done in a few easy steps - pick a location, download the archived server, and unpack the contents. Since we’re not focused on mimicking a production experience, most laptop and desktop configurations should run IQ Server with no problem. If you are looking to plan for the future, be sure to review the Installation Requirements.
Remember, you'll need Java versions 8 or 11 in order to run IQ Server!
Both Sonatype Lifecycle and Lifecycle Foundation require a license to experience the functionality described in this guide. If you are looking to try or purchase Sonatype Lifecycle, contact us and we’ll be happy to assist.
- Create an installation directory in your desired location.
- Download the latest version of IQ Server to the installation directory.
- If you want to install IQ Server with Docker, go to Docker hub and download the image.
- Extract the
- Using a command line interface, switch to the
nexus-iq-serverbundle directory in your installation directory e.g.
- Run one of the following commands to start IQ Server:
- Linux or Mac:
- Linux or Mac:
- Open IQ Server in a browser using the default URL:
- Log in using the default Administrator account:
- Username: admin
- Password: admin123
- Install the required Lifecycle license.
- Change your password using the Admin menu.
NOTE: IQ Server needs access to an external data service to perform evaluations, which may be blocked in your internal environment. For a workaround, see Running IQ Server Behind an HTTP Proxy Server.
After you install and start the IQ Server, you are ready to evaluate applications. We offer several ways to evaluate applications, for example via our CLI, or one of our many other integrations. For this example, we’ll be evaluating an application through the User Interface (UI). Doing so will transfer the bits to your IQ Server. If you are working on a slower connection, or over a VPN, this means longer analysis times.
If you need a sample application, download the WebGoat project at https://github.com/WebGoat/WebGoat/releases.
For this guide, we suggest using the provided ‘sandbox’ organization and application populated with sample data to get started learning the concepts.
To evaluate an application:
- Click Organization & Policies from the side toolbar, then select the sandbox organization and the sandbox application from the sidebar. The file you evaluate is associated with this application.
- Go to the Actions menu, and click Evaluate a File.
In the Evaluate a File dialog:
- Click Choose File or Browse, select the file to evaluate, and click Open.
- Select any stage to associate with the evaluation, for example Build.
- Click No to prevent sending notifications of policy violations as defined in the policy’s configuration settings.
- Click Upload to begin evaluating the selected application.
When the evaluation is complete, click View Report to open the Application Composition Report for the evaluated application.
Once evaluated, the results of a binary evaluation are displayed in the Application Composition Report, which you can always access by selecting Reporting from the top toolbar.
The Application Composition Report is made up of several sections:
- The Summary section is at the top of the main content area. It shows you the report title, date, and high-level statistics on violation counts, identified component counts, and grandfathered violation counts.
- The Policy Violations table shows a list of all components found during the scan of the application, with components ordered by worst policy violation. You can sort the table by threat level, policy name, and component name, and filter via the policy name and the component name.
- The Filter sidebar displays to the left of the Summary and Policy Violations table. It includes controls for violation aggregation and lets you filter by proprietary, component match state, violation state, policy type, and policy threat level.
- The Vulnerabilities List can be accessed via the Options menu. This shows you an overview of all the security vulnerabilities that triggered policy violations. Detailed information on a given vulnerability can be accessed by clicking the vulnerability ID, which links to the corresponding Vulnerability Lookup page.
Investigating and Remediation Violations
In the Application Composition Report, you can drill down to learn specific details about a violation. From the Policy Violation table, click an individual component to open the Component Details Page.
To get you started using the Component Details Page, take a look at these sections:
- Component Info - In the graph, move the vertical bar to learn the differences between versions of a component.
- Policy - Click the Waive button to force IQ Server to ignore a policy violation.
- Licenses - Track your research about a particular license and even override one.
- Vulnerabilities - Click the Info icon for a thorough explanation of a component’s vulnerability and a recommended action.
When investigation is complete, it’s time to begin remediation. In general, policy resolution can be achieved by completing one of the following tasks:
- Upgrade to a non-vulnerable version of the same component. This option is most recommended because it is generally the easiest path to resolution and reducing your risk.
- Select a new component that does not contain the violation. If you’re not able to upgrade your component, the next step is to select a similar component without the violation. This option involves research, because you’re looking for a replacement component that provides the same functionality while ensuring it’s not exploitable.
- Request a waiver for the policy violation. If you can’t upgrade or migrate, the next option is to request a waiver. Send a waiver request to the Project Owner with enough information for a determination to be made. Applying a waiver assumes a certain amount of technical debt, and does not fix the violation. Because of this, it should be used judiciously.