News and Notes from the Makers of Nexus | Sonatype Blog

Nexus Lifecycle: Using REST API to identify where newly vulnerable components reside across your application portfolio

Written by Ilkka Turunen | February 19, 2018

Following the recent announcement of the npm package conventional-changelog having a malicious version uploaded (read more in Brian's blog post), I wanted to write a quick tutorial on how customers using Sonatype Lifecycle tool can quickly search for a specific component across all the applications they have previously scanned.

When a bad component like the version of conventional-changelog gets out in the wild, it is important to be able to react quickly and find out which applications might be affected.

Sonatype Lifecycle contains just the API for this, the Component Search API. I have recorded the video below showing how to use Sonatype Lifecycle to find a list of all applications that have this vulnerable component in it.

Syntax

The search syntax I used in the above video is as follows. I use curl to simplify the request, but feel free to use any method of making http requests.

Plain text

curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier={"format":"a-name","coordinates":{"name":"conventional-changelog-core","qualifier":"","version":"1.2.0"}}"
  • stageID tells IQ server which previous scans to look for - depending on which environment. To search for scans with production artifacts you would use 'operate'. Other possible values: develop, build, stage-release, release, operate

  • componentIdentifier contains the search term

  • format corresponds to the type of package you're searching for. In this case we're searching for authoritative JavaScript packages - a-name for short.

  • name in coordinates corresponds to the name of the package we're searching

  • version is the version you want to search for.

URL encoded

To pass the search to the API you must URL encode your component identifier.

curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier=%7B%22format%22%3A%22a-name%22%2C%22coordinates%22%3A%7B%22name%22%3A%22conventional-changelog-core%22%2C%22qualifier%22%3A%22%22%2C%22version%22%3A%221.9.0%22%7D%7D"