Nexus Lifecycle Connector Guide
Summary: How to set up and use the Nexus Lifecycle connector in Ivanti Neurons RBVM/ASOC/VULN KB.
The Ivanti Neurons RBVM/ASOC/VULN KB platform provides an API-based connector that integrates with Nexus Lifecycle, which enables customers to bring in their open-source (OSS) findings into Neurons RBVM/ASOC/VULN KB to gain visibility of their overall risk due to vulnerabilities in their open-source libraries to enable a simplified and efficient way to manage those vulnerabilities. Neurons RBVM/ASOC/VULN KB users can configure the connector to pull scan data from Nexus Lifecycle on a periodic basis, as well.
Data from Nexus Lifecycle is ingested as Applications and Application Findings in Neurons RBVM/ASOC/VULN KB. Refer to the data mapping section below for details.
Nexus Lifecycle Overview
Use one tool to scale open source security monitoring across the software supply chain and reclaim time spent fighting risks in the software development life cycle. Access an evolving database of known vulnerabilities and help your team detect threats and inconsistencies before the chance of an attack.
Automatically detect and fix open-source dependency vulnerabilities.
Integrate security vulnerability tools into git repositories you already use.
Avoid attacks through scaled secure development practices across dev and ops teams.
Nexus Lifecycle Connector Configuration
Nexus Lifecycle Setup
Requires a subscription to Nexus Lifecycle.
Ivanti Neurons Connector Setup
When logged into the platform, navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Nexus Lifecycle to find the connector.
Click the Configuration button in the Nexus Lifecycle connector card.
Complete the following required fields. These fields include:
Connector Name: Connector name for the Ivanti Neurons platform.
URL: Nexus Lifecycle instance URL.
User Name and Password: Nexus Lifecycle user credentials.
Optional SSL: Nexus Lifecycle SSL certificate.
Network: Network name in Ivanti Neurons. Ingested applications and findings will be associated with this network.
Once the fields have been filled out, click Test Credentials to ensure the connector can connect to the Nexus Lifecycle instance.
Additional connector configurations, such as Schedule and Optional Configurations can be set up here.
Pull tag information from Nexus: This will create asset tags based on the Nexus Lifecycle labels. The default behavior is not to create tags.
Create assets that do not have vulnerabilities: This will create assets that exist in the Nexus Lifecycle platform when there are no vulnerabilities. The default behavior is to only create assets with vulnerabilities.
Filter Nexus Repositories by Applications: This will allow the connector to only pull information limited to a selection of applications.
All Apps: This will pull all applications available to the login provided, including those discovered in the future. This is the default option.
Select Apps: This will present the user with a list of the actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ingested.
Negation of Apps: This will present the user with a list of actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ignored.
Filter Nexus Repositories by Stage: This allows the connector to pull only information limited to a selection of stages.
All Apps: This option pulls all stage types. This is the default option.
Select Apps: This option presents the user with a list of the available stage types. Data from the chosen stages will be ingested.
Negation of Apps: This will present the user with a list of the available stage types. Data from the chosen stages will be ignored.
Once the connector configuration is complete, click the Save button.
When the connector is set up, a new entry for it appears at the top of the Integrations page. This connector runs once the initial setup is complete. Check the connector’s status by clicking the History button.
In the Upload Center (navigate to the Settings > Upload page), files pulled from Nexus Lifecycle are parsed, aggregated, and filtered for displaying data on the Applications/Application Findings pages.
Data Visualization in Ivanti Neurons
The data from a Nexus Lifecycle scan file is ingested into Ivanti Neurons as Applications and Application Findings. The Scanner Name associated with these scans is Nexus Lifecycle. Scanner Name can be used as a filter for Applications and Application Findings.
Asset data extracted from Nexus Lifecycle scan files is shown on the Applications page. Project and version details are also extracted from the scan file.
In the Application Detail pane under the Scanner Specific Information section, the scanner is listed as Nexus Lifecycle.
The Scanner Type filter allows you to filter for Open Source Security (OSS) data related to Nexus Lifecycle.
Application Findings Page
All findings from the Nexus Lifecycle scan file are shown on the Application Findings page.
The Finding Type column is available on the Application Findings page. This column provides additional information about each finding, such as OSS findings from Nexus Lifecycle.
The Risk Type filter will show the four types of policy types available in Nexus Lifecycle, including security, quality, license, and other.
This connector will only pull security-type policy violations at this time, with plans for a release of the other three types soon.
Several new scanner-specific fields are available for filtering and exports.
Deep Link - Link to the report in the Nexus Lifecycle platform.
CVSS V3 Score - 0.0-10.0 reported score.
CVSS V2 Score - 0.0-10.0 reported score.
Application Name - Nexus Lifecycle application name.
Nexus Lifecycle Data Mapping in Ivanti Neurons
This table maps the high-level fields from Nexus Lifecycle with that of the Ivanti Neurons platform.
Ivanti Neurons Field
Nexus Lifecycle Field
Filterable in Ivanti Neurons
|Applications||Name||Name of the Project||Yes|
|Address||Name of the Project + Project stage||Yes|
|Nexus Lifecycle Application Name||Name of the Project||Yes|
|Nexus Lifecycle Stage||Stage||Yes|
|Total||Sum of all findings associated with each project, including security, license, and operational||No|
|Application Findings||Title||Title of each security risk||Yes|
|Scanner Plugin||CVE or Sonatype Plugin reference||Yes|
|Nexus Lifecycle Effective License||Effective License according to Nexus||No|
|Description (applicable only for security findings)||Description of Security Risk, Detail Explanation, and Detection Details||No|
|Possible Solution||Recommendation and Advisories||No|