Sonatype Nexus Lifecycle Connector Guide

Summary: How to set up and use the Sonatype Nexus Lifecycle connector in Ivanti Neurons for ASOC.

Overview

The Ivanti Neurons for ASOC platform provides an API-based connector that integrates with Sonatype Nexus Lifecycle, which enables customers to bring in their open-source (OSS) findings into Ivanti Neurons for ASOC to gain visibility of their overall risk due to vulnerabilities in their open-source libraries to enable a simplified and efficient way to manage those vulnerabilities. Ivanti Neurons users can configure the connector to pull scan data from Sonatype Nexus Lifecycle on a periodic basis, as well.

Data from Sonatype Nexus Lifecycle is ingested as Applications and Application Findings in Ivanti Neurons for ASOC. Refer to the data mapping section below for details.

Connector Configuration

Prerequisites

  • Requires an active subscription to Ivanti Neurons for ASOC.
  • Requires an active subscription to Sonatype Nexus Lifecycle.
  • URL used to access the instance of Sonatype Nexus Lifecycle.

User Setup

In order to connect Ivanti Neurons for ASOC to Sonatype Nexus Lifecycle, an API user will need to be created with the following minimum access:

  • View IQ Elements - View IQ Elements grants read-only access to most properties of a respective organization/application/repository in order to view the current configuration and policy evaluation state.

    View IQ Elements is the minimum permission required for users to be able to browse organization/application/repository-related web pages, including application composition reports.
    • The built-in Developer role provides this access or a customer role with the above privilege is needed.

Sonatype documentation for managing user permissions can be found here: Role Management

Connections

The following API calls are performed during a connector run to pull security vulnerabilities from Sonatype Nexus Lifecycle into Ivanti Neurons for ASOC.

API Type

Endpoint

Get All Organizations

/api/v2/organizations

Get All Applications

/api/v2/applications

Get Vulnerability Details

/api/v2/vulnerabilities/

Get All Policies

/api/v2/policies

Get PolicyViolations

/api/v2/policyViolations?p={policyIdvalue}

Get Cross Stage Violations

api/v2/policyViolations/crossStage/{policyViolationIdvalue}

Get Component Details

/api/v2/components/details

Platform Setup

When logged into the platform, navigate to the Automate > Integrations page.

Integrations menu location under the Automate menu.

Using the search bar in the upper-right corner of the Integrations page, type Nexus Lifecycle to find the connector. Locate the Sonatype Nexus Lifecycle card under Applications and click Configuration.

Configuration button location on the Nexus Lifecycle connector card on the Integrations page.

Complete the following required fields. These fields include:

  • Connector Name: Connector name for the Ivanti Neurons for ASOC platform.

  • URL: Sonatype Nexus Lifecycle instance URL.

  • User Name and Password: Sonatype Nexus Lifecycle user credentials.

  • Optional SSL: Sonatype Nexus Lifecycle SSL certificate.

  • Network: Network name in Ivanti Neurons. Ingested applications and findings will be associated with this network.

Once the fields have been filled out, click Test Credentials to ensure the connector can connect to the Nexus Lifecycle instance.

Additional connector configurations, such as Schedule and Optional Configurations can be set up here.

Schedule section in the Nexus Lifecycle connector setup.

Optional Configuration Section in the Nexus Lifecycle connector setup window.

Optional Configurations

  • Pull tag information from Nexus: This will create asset tags based on the Sonatype Nexus Lifecycle labels. The default behavior is not to create tags.
  • Create assets that do not have vulnerabilities: This will create assets that exist in the Sonatype Nexus Lifecycle platform when there are no vulnerabilities. The default behavior is to only create assets with vulnerabilities.
  • Filter Nexus Repositories by Applications: This will allow the connector to only pull information limited to a selection of applications.
    • All Apps: This will pull all applications available to the login provided, including those discovered in the future. This is the default option.
    • Select Apps: This will present the user with a list of the actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ingested.
    • Negation of Apps: This will present the user with a list of actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ignored.
  • Filter Nexus Repositories by Stage: This allows the connector to pull only information limited to a selection of stages.
    • All Apps: This option pulls all stage types. This is the default option.
    • Select Apps: This option presents the user with a list of the available stage types. Data from the chosen stages will be ingested.
    • Negation of Apps: This will present the user with a list of the available stage types. Data from the chosen stages will be ignored.
  • Pull Vulnerability Information: This allows the connector to specify which types of policy violations will be pulled. By default, all types will be selected.
    • Security: This option pulls all security policy violations.
    • License: This option pulls all license policy violations.
    • Quality: This option pulls all quality policy violations.
    • Other: This option pulls all other policy violations.

Once the connector configuration is complete, click the Save button.

When the connector is set up, a new entry for it appears at the top of the Integrations page. This connector runs once the initial setup is complete. Check the connector’s status by clicking the History button.

History button location on a configured connector card.

Connector History displayed once the History button is pressed on the configured connector card.

In the Upload Center (navigate to the Settings > Upload page), files pulled from Sonatype Nexus Lifecycle are parsed, aggregated, and filtered for displaying data on the Applications/Application Findings pages.

Uploaded Nexus Lifecycle data on the Upload Center page.

Editing a Connector Configuration

Connector configurations can be updated at any time after creation. Go to the Automate > Integrations page and select the specific connector you want to update.

Utilizing the Connector

The data from a Sonatype Nexus Lifecycle scan file is ingested into Ivanti Neurons for ASOC as Applications and Application Findings. The Scanner Name associated with these scans is Nexus Lifecycle. Scanner Name can be used as a filter for Applications and Application Findings.

Assets

Asset data extracted from Sonatype Nexus Lifecycle scan files is shown on the Applications page. Project and version details are also extracted from the scan file.

Screenshot of the Applications page.

In the Application Detail pane under the Scanner Specific Information section, the scanner is listed as Nexus Lifecycle.

Scanner Specific Information section of the Application's detail pane.

The Scanner Type filter allows you to filter for Open Source Security (OSS) data related to Sonatype Nexus Lifecycle.

The Add Filter window configured with the filter Scanner Type is one of OSS.

Findings

All findings from the Sonatype Nexus Lifecycle scan file are shown on the Application Findings page.

Screenshot of the Application Findings page.

The Finding Type column is available on the Application Findings page. This column provides additional information about each finding, such as OSS findings from Sonatype Nexus Lifecycle.

The Risk Type filter will show the four types of policy types available in Sonatype Nexus Lifecycle, including security, quality, license, and other.

This connector will only pull security-type policy violations at this time, with plans for a release of the other three types soon.

Several new scanner-specific fields are available for filtering and exports.

  • Deep Link - Link to the report in the Nexus Lifecycle platform.

  • CVSS V3 Score - 0.0-10.0 reported score.

  • CVSS V2 Score - 0.0-10.0 reported score.

  • Application Name - Nexus Lifecycle application name.

On the Application Findings page, displays the section of the detail pane showing Scanner Specific Information.

Severity Mapping

Sonatype Nexus Lifecycle reports severity on the same 0.0-10.0 scale used by Ivanti Neurons for ASOC with no modification.

Connector Data Mapping

This table maps the high-level fields from Sonatype Nexus Lifecycle with that of the Ivanti Neurons for ASOC platform.

 

Section

Platform Field

Nexus Lifecycle Field

Filter

Applications

Name

Name of the Project

Yes

Address

Name of the Project + Project stage

Yes

Nexus Lifecycle Application Name

Name of the Project

Yes

Nexus Lifecycle Stage

Stage

Yes

Total

Sum of all findings associated with each project, including security, license, and operational

No

Application Findings

Title

Title of each security risk

Yes

Location

Package URL

Yes

Scanner Plugin

CVE or Sonatype Plugin reference

Yes

Source

Component format

Yes

Nexus Lifecycle Effective License

Effective License according to Nexus

No

Description (applicable only for security findings)

Description of Security Risk, Detail Explanation, and Detection Details

No

Possible Solution

Recommendation and Advisories

No