Overview

Year in Review offers intuitive graphical representations of the state of the Software Supply Chain for your organization. It unlocks trends and patterns by comparing your usage of Nexus IQ Server with the rest of the industry, over the past year. It provides customized actionable suggestions, based on the analysis of your Nexus IQ Server usage.

Vulnerability Profile

The vulnerability profile shows the total number of applications that were scanned and the number of vulnerabilities detected by the Nexus IQ Server during the year.

The number of applications affected by critical vulnerabilities determines the vulnerability profile of your DevOps pipeline. You can expedite efforts to remediate the critical vulnerabilities (CVSS scores >=8). shown in the pie chart.

Volume of Components Analyzed

The volume and variety (ecosystems) of components analyzed during the year indicates the thoroughness of scans carried out by your installation of Nexus IQ Server. The industry comparison provides awareness on the similar efforts by your peers. 

Upgrade Posture

Your upgrade posture has been determined by analyzing the time taken to upgrade vulnerable components in your applications. Based on the timing and frequency of upgrades you performed, your posture is categorized as one of the below:

Reactive: Indicates you respond to security incidents after they arise. This may result in unplanned work involving identifying the occurences of the vulnerabilities, understanding the severity, remediating and restoring operations.

Suggested action for "reactive" posture: Upgrade immediately 

Borderline: Indicates you spend a significant amount of time in making upgrade decisions. This results in planned work within teams to implement the upgrade. However, delays could lead to untimely unplanned work, if a security incident arises.

Suggested action for "borderline" posture: Speedup upgrade decisions

Proactive: Indicates you make the best upgrade choices, before a security incident occurs. You follow a stable, planned, effort-efficient approach and are focussed on quality outcomes.

Suggested action for "proactive" posture: No immediate action

Optimal: Indicates that you make quick contextural and cost-effective decisions. This results in upgrading only when necessary and upgrading to component versions that minimize (may not eliminate) breaking code changes, have a smooth migration path and are widely used by the open-source community.

Suggested action for "optimal" posture: Keep staying ahead of the curve!

Top Fixed CVEs

This shows the top 5 CVEs (Common Vulnerabilities and Exposures) that were addressed. Vulnerabilities include publicly disclosed vulnerabilities in the NVD (National Vulnerability Database) and Sonatype discovered vulnerabilties. The heat map displayed in this section indicates the magnitude of impact Nexus IQ Server has on securing your DevOps pipelines. 

Technology Standardization

This displays the variety of programming languages, frameworks, databases, front-end tools, back-end tools, applications connected by APIs, platforms etc. that are currently in use your DevOps pipelines. Higher the tech stack diversity, higher is the security risk, dependency management  and integration efforts. Data presented here can be used to reduce these risks by standardizing your technology stack. A standardized technology stack is also conducive to more code reuse and collaboration across different teams in your organization. 

Data Sources Used:

Data displayed here reflects how this instance of Nexus IQ Server was used over the past year to secure your supply chain. We have used billions of data points from the Sonatype community and the open-source community to generate actionable insights on open-source industry trends and consumption patterns.

Assumptions and constrains for the data sets used for this analysis are listed below:

1. Policy waivers are not considered.
2. Vulnerabilties discovered and fixed on the same day are not included in the analysis, due to aggregation.
3. Applications must have been evaluated at least 3 times, from the same instance of Nexus IQ Server, to be included in the analysis. This eliminates duplicity in application counts due to container scans.
4. Vulnerabilities having a CVSS score >=8, are considered as "critical" in the analysis.