Repository Health Check

What is Repository Health Check?

Repository Health Check (RHC) allows Nexus Repository users to identify open source security risks in proxy repositories at the earliest stages of their DevOps pipeline by providing the following key capabilities:

  1. A summary of components with security vulnerabilities categorized by severity.
  2. A count of license warnings per component categorized by severity.
  3. A detailed RHC report that identifies specific artifacts and threats. PRO

RHC is only available for proxy repositories in Go, Maven, npm, NuGet, PyPI, RubyGems, and Yum formats.

Using Repository Health Check

To use RHC, sign in as an administrator to your Nexus Repository instance and follow these steps:

1. Navigate to the Administration section by selecting the gear icon in the top bar on the user interface.

2. Under the Repository option in the left-hand menu, select Repositories to navigate to the repository management screen.

Manage repositories screen displaying a table with name, type, format, status, URL, health check, and IQ Policy Violations columns.

On this screen, you will see a table with a Health Check column. If a RHC has already been run on a repository, you will see two icons with numbers: the shield icon and number show the number of security vulnerabilities identified; the ribbon icon and number show the number of license warnings identified. If RHC is not enabled on a repository, you will see an Analyze button.

3. Select the Analyze button to enable RHC on a repository.

4. A dialogue box will appear and offer you the option to enable RHC on all supported repositories or just the one you've selected. Select either Yes, all repositories or Yes, only this repository to enable RHC for the selected or all repositories. Select No if you wish to cancel.

5. An Analyzing... status will appear in the Health Check column as the scan runs.

The initial scan will take some time, and the resulting report will initially appear blank. Enabling RHC automatically creates and schedules a System - Repository Health Check task for each repository on which you have enabled RHC. This task runs every hour to see if it is time to return a new report; however, it will only return a new report every 24 hours regardless of how often you run the task. Manually running the task will not update the report.

6. Once the scan completes, hover over the Health Check column entry for a given repository to see summary report.

For new repositories, the table will initially appear blank. As users download assets, data will gradually fill out the summary over time.

The report populates once every 24 hours. See the Age field in the summary to see how long it has been since the report populated.

This summary report displays the following information:

  • In the upper section, you will see the following:
    • A green donut chart showing how many components Nexus Repository recognizes.
    • FOR field tells you for which repository this report was run.
    • The ON field tells you exactly when the check was run.
    • The AGE field tells you the data's age.
  • In the main Issue Summary section, you will see the following:
    • Security Vulnerabilities column displays a count of the components with critical (7-10), severe (4-6), and moderate (1-3) vulnerabilities. The scoring is standardized on a 1-10 scale based on the Common Vulnerability Scoring System (CVSS) version 2; if a component has multiple vulnerabilities, only the highest will be included in this count.
    • License Warnings column displays a count of the components with the following license warnings:
      • Copyleft - Component with a copyleft license (e.g., GPL).
      • Non-Standard - Component with a license Nexus Repository does not recognize.
      • Not Provided - Project did not declare a license.
      • Weak Copyleft - Similar to copyleft; however, not all derived works inherit the copyleft license.
      • Liberal - Component using a license with little limitation.
  • We also provide additional information about our Nexus Firewall product.

Detailed Repository Health Check Report

If you’re running Nexus Repository Pro, select the View Detailed Report button to access the detailed RHC report. PRO

When you initially load the report, it will show the Artifacts view.

Detailed vulnerability summary. The top section shows 354 artifacts identified with no non-identified artifacts. It shows 840 security alerts and 84 license alerts.  The next section shows the security vulnerability summary and a license analysis summary. The security vulnerability summary shows a red critical count, orange severe count, and yellow moderate count. The license analysis summary shows a red copyleft count, orange non-standard and not provided counts, yellow weak copyleft count, and blue liberal count. This breakdown is further displayed in a pie chart using the same colors.  Below this section is a detailed list with view by artifacts option selected. This shows a table showing license threat, declared license, observed licenses in source, group, artifact, version, and security issues columns.

When View By Artifacts is selected, the detailed report shows the same information as the summary along with a table displaying the following additional data:

  • License Threat - Highlights the license with the highest potential risk for a given component.
  • Declared License - The licenses provided by the publishing project.
  • Observed Licenses in Source - Licenses Sonatype services identified through source analysis for supported formats.
  • Group - The publishing group (i.e., the package namespace (e.g., maven groupId, npm scope)).
  • Artifact - The artifact name.
  • Version - The artifact version.
  • Security Issues - Highlights the severity and number of known security vulnerabilities; severity (based on the CVSS) is indicated via color (red = critical (7-10); orange = severe (4-6); yellow = moderate (1-3)) while number is indicated by the number of triangle icons in the column.

From the View By drop-down menu, you can also select the Vulnerabilities option.

From this view, the detailed report shows the following information:

  • Threat Level - Highlights the CVSS base score for each listed vulnerability.
  • Problem Code - Provides a link to Common Vulnerabilities and Exposures (CVE) ID and description.
  • Group - The publishing group (i.e., the package namespace (e.g., maven groupId, npm scope)).
  • Artifact - The artifact name.
  • Version - The artifact version.

Resolving Certificate Errors and the Health Check: Configuration Capability

The RHC service works by performing calls to https://rhc-pro.sonatype.com or https://rhc.sonatype.com/ depending on whether you are running Nexus Repository Pro (licensed) or OSS. Network administrators should make sure their firewalls allow these URLs through. Occasionally, administrators run into certificate errors because they are using a firewall proxy server that rewrites the certificate, making it appear untrusted.

If you run into this issue, you can often resolve it by configuring outbound SSL, adding necessary certificates to the Nexus Repository trust store, and selecting the Use the Nexus truststore option when configuring the Health Check: Configuration capability.

This capability is automatically created if you select Yes, all repositories when enabling RHC on a repository. You can also manually configure this capability if you've selected Yes, only this repository instead.

To create this capability, take the following actions:

1. Navigate to AdministrationSystemCapabilities.

2. Select Create capability.  

3. Select the Health Check: Configuration type.

4. The Enable this capability and Configure for all proxy repositories checkboxes are automatically selected; unselect the Configure for all proxy repositories if desired.

5. Select the Use the Nexus truststore checkbox to allow Nexus Repository to manage the SSL certificate of the remote repository; learn more in the Repository Management section. See Configuring SSL for more information on configuring outbound SSL.

6. Select Create capability.

To manage the existing capability, complete the following steps:

1. Navigate to AdministrationSystemCapabilities.

2. Select the Health Check: Configuration type from the Capabilities table. The summary view displays.

3. Select Settings.

4. Select the Use the Nexus truststore checkbox to allow Nexus Repository to manage the SSL certificate of the remote repository; learn more in the Repository Management section. See Configuring SSL for more information on configuring outbound SSL.

5. Select Save.

Disabling Repository Health Check

The best way to disable RHC is through the API.

To learn more, see our API documentation, which you can access via the Nexus Repository user interface under AdministrationSystemAPI.

Look for DELETE /v1/repositories/{repositoryName}/health-check in the Repository Management section.