Sonatype Nexus Lifecycle Connector Guide

Summary: How to set up and use the Sonatype Nexus Lifecycle connector in Ivanti Neurons for ASOC.


The Ivanti Neurons for ASOC platform provides an API-based connector that integrates with Sonatype Nexus Lifecycle, which enables customers to bring in their open-source (OSS) findings into Ivanti Neurons for ASOC to gain visibility of their overall risk due to vulnerabilities in their open-source libraries to enable a simplified and efficient way to manage those vulnerabilities. Ivanti Neurons users can configure the connector to pull scan data from Sonatype Nexus Lifecycle on a periodic basis, as well.

Data from Sonatype Nexus Lifecycle is ingested as Applications and Application Findings in Ivanti Neurons for ASOC. Refer to the data mapping section below for details.

Connector Configuration


  • Requires an active subscription to Ivanti Neurons for ASOC.
  • Requires an active subscription to Sonatype Nexus Lifecycle.
  • URL used to access the instance of Sonatype Nexus Lifecycle.

User Setup

In order to connect Ivanti Neurons for ASOC to Sonatype Nexus Lifecycle, an API user will need to be created with the following minimum access:

  • View IQ Elements - View IQ Elements grants read-only access to most properties of a respective organization/application/repository in order to view the current configuration and policy evaluation state.

    View IQ Elements is the minimum permission required for users to be able to browse organization/application/repository-related web pages, including application composition reports.
    • The built-in Developer role provides this access or a customer role with the above privilege is needed.

Sonatype documentation for managing user permissions can be found here: Role Management


The following API calls are performed during a connector run to pull security vulnerabilities from Sonatype Nexus Lifecycle into Ivanti Neurons for ASOC.

API Type


Get All Organizations


Get All Applications


Get Vulnerability Details


Get All Policies


Get PolicyViolations


Get Cross Stage Violations


Get Component Details


Platform Setup

When logged into the platform, navigate to the Automate > Integrations page.

Integrations menu location under the Automate menu.

Using the search bar in the upper-right corner of the Integrations page, type Nexus Lifecycle to find the connector. Locate the Sonatype Nexus Lifecycle card under Applications and click Configuration.

Configuration button location on the Nexus Lifecycle connector card on the Integrations page.

Complete the following required fields. These fields include:

  • Connector Name: Connector name for the Ivanti Neurons for ASOC platform.

  • URL: Sonatype Nexus Lifecycle instance URL.

  • User Name and Password: Sonatype Nexus Lifecycle user credentials.

  • Optional SSL: Sonatype Nexus Lifecycle SSL certificate.

  • Network: Network name in Ivanti Neurons. Ingested applications and findings will be associated with this network.

Once the fields have been filled out, click Test Credentials to ensure the connector can connect to the Nexus Lifecycle instance.

Additional connector configurations, such as Schedule and Optional Configurations can be set up here.

Schedule section in the Nexus Lifecycle connector setup.

Optional Configuration Section in the Nexus Lifecycle connector setup window.

Optional Configurations

  • Pull tag information from Nexus: This will create asset tags based on the Sonatype Nexus Lifecycle labels. The default behavior is not to create tags.
  • Create assets that do not have vulnerabilities: This will create assets that exist in the Sonatype Nexus Lifecycle platform when there are no vulnerabilities. The default behavior is to only create assets with vulnerabilities.
  • Filter Nexus Repositories by Applications: This will allow the connector to only pull information limited to a selection of applications.
    • All Apps: This will pull all applications available to the login provided, including those discovered in the future. This is the default option.
    • Select Apps: This will present the user with a list of the actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ingested.
    • Negation of Apps: This will present the user with a list of actual applications available to the login at the moment of the Test Credentials. Data from the chosen applications will be ignored.
  • Filter Nexus Repositories by Stage: This allows the connector to pull only information limited to a selection of stages.
    • All Apps: This option pulls all stage types. This is the default option.
    • Select Apps: This option presents the user with a list of the available stage types. Data from the chosen stages will be ingested.
    • Negation of Apps: This will present the user with a list of the available stage types. Data from the chosen stages will be ignored.
  • Pull Vulnerability Information: This allows the connector to specify which types of policy violations will be pulled. By default, all types will be selected.
    • Security: This option pulls all security policy violations.
    • License: This option pulls all license policy violations.
    • Quality: This option pulls all quality policy violations.
    • Other: This option pulls all other policy violations.

Once the connector configuration is complete, click the Save button.

When the connector is set up, a new entry for it appears at the top of the Integrations page. This connector runs once the initial setup is complete. Check the connector’s status by clicking the History button.

History button location on a configured connector card.

Connector History displayed once the History button is pressed on the configured connector card.

In the Upload Center (navigate to the Settings > Upload page), files pulled from Sonatype Nexus Lifecycle are parsed, aggregated, and filtered for displaying data on the Applications/Application Findings pages.

Uploaded Nexus Lifecycle data on the Upload Center page.

Editing a Connector Configuration

Connector configurations can be updated at any time after creation. Go to the Automate > Integrations page and select the specific connector you want to update.

Utilizing the Connector

The data from a Sonatype Nexus Lifecycle scan file is ingested into Ivanti Neurons for ASOC as Applications and Application Findings. The Scanner Name associated with these scans is Nexus Lifecycle. Scanner Name can be used as a filter for Applications and Application Findings.


Asset data extracted from Sonatype Nexus Lifecycle scan files is shown on the Applications page. Project and version details are also extracted from the scan file.

Screenshot of the Applications page.

In the Application Detail pane under the Scanner Specific Information section, the scanner is listed as Nexus Lifecycle.

Scanner Specific Information section of the Application's detail pane.

The Scanner Type filter allows you to filter for Open Source Security (OSS) data related to Sonatype Nexus Lifecycle.

The Add Filter window configured with the filter Scanner Type is one of OSS.


All findings from the Sonatype Nexus Lifecycle scan file are shown on the Application Findings page.

Screenshot of the Application Findings page.

The Finding Type column is available on the Application Findings page. This column provides additional information about each finding, such as OSS findings from Sonatype Nexus Lifecycle.

The Risk Type filter will show the four types of policy types available in Sonatype Nexus Lifecycle, including security, quality, license, and other.

This connector will only pull security-type policy violations at this time, with plans for a release of the other three types soon.

Several new scanner-specific fields are available for filtering and exports.

  • Deep Link - Link to the report in the Nexus Lifecycle platform.

  • CVSS V3 Score - 0.0-10.0 reported score.

  • CVSS V2 Score - 0.0-10.0 reported score.

  • Application Name - Nexus Lifecycle application name.

On the Application Findings page, displays the section of the detail pane showing Scanner Specific Information.

Severity Mapping

Sonatype Nexus Lifecycle reports severity on the same 0.0-10.0 scale used by Ivanti Neurons for ASOC with no modification.

Connector Data Mapping

This table maps the high-level fields from Sonatype Nexus Lifecycle with that of the Ivanti Neurons for ASOC platform.



Platform Field

Nexus Lifecycle Field




Name of the Project



Name of the Project + Project stage


Nexus Lifecycle Application Name

Name of the Project


Nexus Lifecycle Stage




Sum of all findings associated with each project, including security, license, and operational


Application Findings


Title of each security risk



Package URL


Scanner Plugin

CVE or Sonatype Plugin reference



Component format


Nexus Lifecycle Effective License

Effective License according to Nexus


Description (applicable only for security findings)

Description of Security Risk, Detail Explanation, and Detection Details


Possible Solution

Recommendation and Advisories