Sonatype Nexus — Beyond Repository Manager
Many of us know Nexus as a Repository Manager, but Sonatype has recently evolved Nexus Platform to deliver full spectrum control of software development lifecycle to developers. Here are some of them I had an opportunity to explore on.
Nexus Repository
It is an artifact repository which supports many different artifact formats including docker, maven, npm, nuget etc. It also supports generic formats like zip files through raw repositories.
OSS Vs Pro
OSS is the free/open source version of Nexus Repository where as Pro version offers additional features like SAML/SSO authentication, Enterprise support, dynamic storage, custom metadata and many more. A full list of pro features compared to oss can be found here https://www.sonatype.com/products/repository-oss-vs-pro-features
Equivalent Tools
- JFrog Artifactory
Nexus IQ Server
Nexus IQ Server is a policy engine powered by precise intelligence on open source components.
Sonatype creates its data using a proprietary, automated vulnerability detection system that monitors, aggregates, correlates, and incorporates machine learning from publicly available information like National Vulnerability Database, OWASP, OSS Index and many more.
Sonatype uses a combination of automated identification and human research that eliminates false positives and negatives.
Nexus Lifecycle and Nexus Firewall are powered by Nexus IQ Server.
Nexus Lifecycle
Lifecycle is the open source code security and dependency management tool which continuously monitors and helps identify vulnerabilities and licenses at the every stage of software development.
The policy enforcement is configurable at Root Organization level or Individual Organization level (Projects) or Individual Application level. The policy enforcement is also configurable at various stages of your software development lifecycle, which Sonatype categorise as proxy, develop, source, build, stage, release and operate stages.
Policy violation actions (No Action, Warn, Fail) can be set to fail the pipelines at specific stages.
Applications can be categorised as Distributed, Hosted, Internal or even custom categories and policies can be configured differently for each application category based on security requirements
Beyond Day 0, with continuous monitoring feature enabled, Lifecycle performs the scan on a daily basis for the components identified in the configured stage and notifies of any new vulnerabilities that come up. With continuous monitoring, vulnerability scanning is performed outside of the devops pipeline on a regular basis for components already in production.
With Lifecycle license,
- The scan tool can be integrated into the IDE
- The scan reports can be viewed and downloaded through IQ Server UI or through apis
Equivalent Tools:
- Snyk Open Source
- JFrog X-Ray
- Dependabot
Nexus Firewall
Firewall gives you the ability to block vulnerable open source software packages and their dependencies from entering into your code (IDE), proxy repositories or DevOps pipelines.
With Firewall license,
- The scan reports can be viewed through IQ Server UI but cannot be downloaded.
Nexus Container
Scans for open source vulnerabilities related to application components in each layer of a docker image file.
Note that it does not scan the OS level components. [Clair (OpenSource) is container scan at OS level]
Equivalent Tools:
- Snyk Container
Sonatype Lift
Code analysis tool focused on code quality.
Free version is limited to public repositories.
Pro version is for unlimited private repositories and supports 11 languages. Can be run for every pull request and the feedback is provided as comments in Code Review.
Equivalent Tools:
- Sonar Qube
- Codacy
