This spring we rolled out our first Sonatype Nexus IQ Artifactory integration. What's that all about? Find out below!
Since last fall we've been receiving inquiries about artifact analysis tools that you could include in a CI/CD pipeline. Tools that would make use of vulnerability disclosures. For years, the Common Vulnerabilities and Exposures database has shared all sorts of exploits that have been submitted to them. These vulnerabilities can apply to anything from libraries to standalone software. Vulnerabilities are commonly rated on a 0-10 scale, and the vulnerability is described to readers. For an example of a general vulnerability report, check out this one from another CVE database by NIST.
Keeping up with all these vulnerabilities is not easy and there should be an automated way to keep up with the vulnerabilities in the software you use.
Sonatype Nexus IQ analysis
That's exactly what Sonatype has managed to create with their Nexus IQ analysis software. Initially, this tool only worked with Nexus Repository Manager. A couple of months ago, Sonatype announced that they were released an integration with JFrog's Artifactory.
To be clear, Jfrog has their own artifact analysis tool called Xray which we have also rolled out for our customers. Sonatype's Nexus IQ is competing with Jfrog Xray with their features. It is great to have competition in the artifact analysis domain.
We feel that Artifactory is a great tool for artifact storage, but there is no clear winner in the artifact analysis domain yet. If you choose to explore the addition of artifact analysis to your development pipeline, your choice will depend on the features you require and the budget you have.
What’s so great about Nexus IQ?
So what's great about Nexus IQ in particular? First of all, Nexus IQ integrates with Jenkins. You can embed an analysis step in your pipeline and that will result in an evaluation that scans all the artifacts that you upload to your Artifactory repository. A security policy offense will depend on your chosen policies in Nexus IQ.
You will get a nice view of what the offending packages are, and if possible, to which version you should upgrade to patch that vulnerability.
Scanning software licenses
Another great feature artifact analysis tools grant you is the ability to easily scan the licenses different libraries and software in your pipeline use.
Contrary to popular belief, just because a program is open source and free to download doesn't mean it grants you rights to use it as you wish. You can blacklist certain licenses that you do not want to get in your pipeline, or you might even want to check which programs don't have a license at all (which is also scary for a business).
Integration with IDEs
A third but somewhat limited feature in Nexus IQ is that it can integrate with certain IDEs. Nexus IQ has plugins available for Eclipse and IntelliJ IDEA. With the plugin installed, you can see policy reports straight inside these IDEs. As we in the ROOT support team are not software engineers in the traditional sense, we haven't gotten around to using the IDE plugins yet. They basically perform the same task that a Jenkins pipeline step does – show you the packages that don't pass the policy checks that you have.
Time to act
The last and most important thing Nexus IQ provides you is a call to action. Some aspects of information and software security might be tedious. Keeping up with the vulnerability report overload a bazillion penetration testers, hackers and ordinary users help create can be hard.
With these analysis tools you get visibility, and with visibility you can and should act. Buying and installing these analysis tools won't do you any good if you don't push your development team to apply upgrades that cut down on attack vectors. With artifact analysis tools, you can take steps towards a more secure software development pipeline, and catch risks before they reach your production environments.
If you are interested in knowing more about Nexus IQ with Artifactory integration, let us know and we can set up a demonstration for you :).