Nexus Lifecycle Connector Guide

Summary: How to set up and use the Nexus Lifecycle connector in Ivanti Neurons for RBVM/ASOC.

Overview

The Ivanti Neurons for RBVM/ASOC platform provides an API-based connector that integrates with Nexus Lifecycle, which enables customers to bring in their open-source (OSS) findings into Neurons for RBVM/ASOC to gain visibility of their overall risk due to vulnerabilities in their open-source libraries to enable a simplified and efficient way to manage those vulnerabilities. Neurons for RBVM/ASOC users can configure the connector to pull scan data from Nexus Lifecycle on a periodic basis, as well.

Data from Nexus Lifecycle is ingested as Applications and Application Findings in Neurons for RBVM/ASOC. Refer to the data mapping section below for details.

Nexus Lifecycle Overview

Use one tool to scale open source security monitoring across the software supply chain and reclaim time spent fighting risks in the software development life cycle. Access an evolving database of known vulnerabilities and help your team detect threats and inconsistencies before the chance of an attack.

  • Automatically detect and fix open-source dependency vulnerabilities.

  • Integrate security vulnerability tools into git repositories you already use.

  • Avoid attacks through scaled secure development practices across dev and ops teams.

Nexus Lifecycle Connector Configuration

Nexus Lifecycle Setup

  • Requires a subscription to Nexus Lifecycle.

Ivanti Neurons Connector Setup

When logged into the platform, navigate to the Automate > Integrations page.

Integrations menu location under the Automate menu.

Using the search bar in the upper-right corner of the Integrations page, type Nexus Lifecycle to find the connector.

Typing Nexus Lifecycle in the top-right search bar on the Integrations page.

Click the Configuration button in the Nexus Lifecycle connector card.

Configuration button location on the Nexus Lifecycle connector card on the Integrations page.

Complete the following required fields. These fields include:

  • Connector Name: Connector name for the Ivanti Neurons platform.

  • URL: Nexus Lifecycle instance URL.

  • User Name and Password: Nexus Lifecycle user credentials.

  • Optional SSL: Nexus Lifecycle SSL certificate.

  • Network: Network name in Ivanti Neurons. Ingested applications and findings will be associated with this network.

 

Once the fields have been filled out, click Test Credentials to ensure the connector can connect to the Nexus Lifecycle instance.

Additional connector configurations, such as Schedule and Optional Configurations can be set up here.

Schedule section in the Nexus Lifecycle connector setup.

Optional Configuration Section in the Nexus Lifecycle connector setup window.

Optional Configurations

Pull tag information from Nexus: This will create asset tags based on the Nexus Lifecycle labels. The default behavior is not to create tags.

  • Create assets that do not have vulnerabilities: This will create assets that exist in the Nexus Lifecycle platform when there are no vulnerabilities. The default behavior is to only create assets with vulnerabilities.

  • Filter Nexus Repositories by Applications: This will allow the connector to only pull information limited to a selection of applications.

    • All Apps: This will pull all applications available to the login provided, including those discovered in the future. This is the default option.

    • Select Apps: This will present the user with a list of the actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ingested.

    • Negation of Apps: This will present the user with a list of actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ignored.

  • Filter Nexus Repositories by Stage: This allows the connector to pull only information limited to a selection of stages.

    • All Apps: This option pulls all stage types. This is the default option.

    • Select Apps: This option presents the user with a list of the available stage types. Data from the chosen stages will be ingested.

    • Negation of Apps: This will present the user with a list of the available stage types. Data from the chosen stages will be ignored.

Once the connector configuration is complete, click the Save button.

When the connector is set up, a new entry for it appears at the top of the Integrations page. This connector runs once the initial setup is complete. Check the connector’s status by clicking the History button.

History button location on a configured connector card.

Connector History displayed once the History button is pressed on the configured connector card.

In the Upload Center (navigate to the Settings > Upload page), files pulled from Nexus Lifecycle are parsed, aggregated, and filtered for displaying data on the Applications/Application Findings pages.

Uploaded Nexus Lifecycle data on the Upload Center page.

Data Visualization in Ivanti Neurons

The data from a Nexus Lifecycle scan file is ingested into Ivanti Neurons as Applications and Application Findings. The Scanner Name associated with these scans is Nexus Lifecycle. Scanner Name can be used as a filter for Applications and Application Findings.

Applications Page

Asset data extracted from Nexus Lifecycle scan files is shown on the Applications page. Project and version details are also extracted from the scan file.

Screenshot of the Applications page.

In the Application Detail pane under the Scanner Specific Information section, the scanner is listed as Nexus Lifecycle.

Scanner Specific Information section of the Application's detail pane.

The Scanner Type filter allows you to filter for Open Source Security (OSS) data related to Nexus Lifecycle.

The Add Filter window configured with the filter Scanner Type is one of OSS.

Application Findings Page

All findings from the Nexus Lifecycle scan file are shown on the Application Findings page.

Screenshot of the Application Findings page.

The Finding Type column is available on the Application Findings page. This column provides additional information about each finding, such as OSS findings from Nexus Lifecycle.

The Risk Type filter will show the four types of policy types available in Nexus Lifecycle, including security, quality, license, and other.

This connector will only pull security-type policy violations at this time, with plans for a release of the other three types soon.

Several new scanner-specific fields are available for filtering and exports.

  • Deep Link - Link to the report in the Nexus Lifecycle platform.

  • CVSS V3 Score - 0.0-10.0 reported score.

  • CVSS V2 Score - 0.0-10.0 reported score.

  • Application Name - Nexus Lifecycle application name.

On the Application Findings page, displays the section of the detail pane showing Scanner Specific Information.

Nexus Lifecycle Data Mapping in Ivanti Neurons

This table maps the high-level fields from Nexus Lifecycle with that of the Ivanti Neurons platform.

Mapping Ivanti Neurons fields to Nexus Lifecycle fields.

Section

Ivanti Neurons Field

Nexus Lifecycle Field

Filterable in Ivanti Neurons

Applications Name Name of the Project Yes
Address Name of the Project + Project stage Yes
Nexus Lifecycle Application Name Name of the Project Yes
Nexus Lifecycle Stage Stage Yes
Total Sum of all findings associated with each project, including security, license, and operational No
Application Findings Title Title of each security risk Yes
Location Package URL Yes
Scanner Plugin CVE or Sonatype Plugin reference Yes
Source Component format Yes
Nexus Lifecycle Effective License Effective License according to Nexus No
Description (applicable only for security findings) Description of Security Risk, Detail Explanation, and Detection Details No
Possible Solution Recommendation and Advisories No