Nexus Lifecycle: Using REST API to identify where newly vulnerable components reside across your application portfolio
2 minute read time
Following the recent announcement of the npm package conventional-changelog having a malicious version uploaded (read more in Brian's blog post), I wanted to write a quick tutorial on how customers using Sonatype's Nexus Lifecycle tool can quickly search for a specific component across all the applications they have previously scanned.
When a bad component like the version of conventional-changelog gets out in the wild, it is important to be able to react quickly and find out which applications might be affected.Nexus Lifecycle contains just the API for this, the Component Search API. I have recorded the video below showing how to use Nexus Lifecycle to find a list of all applications that have this vulnerable component in it.
Syntax
The search syntax I used in the above video is as follows. I use curl to simplify the request, but feel free to use any method of making http requests.
Plain text:
curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier={"format":"a-name","coordinates":{"name":"conventional-changelog-core","qualifier":"","version":"1.2.0"}}"
- stageID tells IQ server which previous scans to look for - depending on which environment. To search for scans with production artifacts you would use 'operate'. Other possible values: develop, build, stage-release, release, operate
- componentIdentifier contains the search term
- format corresponds to the type of package you're searching for. In this case we're searching for authoritative javascript packages - a-name for short.
- name in coordinates corresponds to the name of the package we're searching
- version is the version you want to search for.
URL Encoded:
To pass the search to the API you must URL encode your component identifier.
curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier=%7B%22format%22%3A%22a-name%22%2C%22coordinates%22%3A%7B%22name%22%3A%22conventional-changelog-core%22%2C%22qualifier%22%3A%22%22%2C%22version%22%3A%221.9.0%22%7D%7D"
Written by Ilkka Turunen
Ilkka serves as Field CTO at Sonatype. He is a software engineer with a knack for rapid web-development and cloud computing and with technical experience on multiple levels of the XaaS cake. Ilkka is interested in anything and everything, always striving to learn any relevant skills that help towards building Sonatype for success.
Explore All Posts by Ilkka Turunen