:
Skip Navigation
Resources Blog Getting started with Sonatype Vulnerability Scanner

Getting started with Sonatype Vulnerability Scanner

As a developer, you know the importance of building a robust application. With cyberattacks increasing, you should make sure your application is safe from the attacks and isn't vulnerable.

To assess your application for security and to help you find vulnerabilities in your application so you can fix them, our open source vulnerability scanner would be of great help.

So, in this post, I'll be telling you what this tool is and how to use it.

What is the Sonatype Vulnerability Scanner?

Sonatype Vulnerability Scanner is a tool that scans your application for vulnerabilities and gives you a report on its analysis.

As claimed by Sonatype, the average application consists of over 100 open source components and over 20 vulnerabilities.

Obviously, with so many potential weak points in your application, it's not deployment ready. And ignoring the security of your application might affect the business.

Once you've developed your application and made sure that it works as expected, you should concentrate on how secure the application is.

Now, let me show you how you can use Sonatype Vulnerability Scanner to scan your application.

Setting up Sonatype Vulnerability Scanner

The first step is to download the tool. You can find it here. To access the tool, you have to fill out a simple form and then click on the download button.

Nexus Vulnerability Scanner

The application you have to download is small in size, so it won't take much time.

Once the download is complete, extract the contents from the downloaded file. That's it. You've set up the scanner.

Using Sonatype Vulnerability Scanner

Now, to start the application, get into the application folder and execute the application-check file.

Nexus Vulnerability Scanner check file

After the application starts, you'll see the application window. It will ask you to select the application in which you want to find vulnerabilities.

Sonatype sample applications

If you just want to check how this tool works and don't want to run it on your application, or if you don't have your application ready, that's fine.

Sonatype gives you sample applications that you can run this tool on, too. After you download the tool, you'll be redirected to a page with a list of applications.

Download Begins Immediately

Let's walk through how this looks. I see several applications listed.

I know what WebGoat is. It's a web application that's designed to be vulnerable on purpose. But I'm curious about the Test1 application so I'm going to use that for this demo.

So, I've downloaded the sample application. You can do this by just clicking on the application name.

Running the scan

Now, let's come back to our scanner. I'm going to select the sample applications I've downloaded. You can select a name for your report and also make it password protected. I like this feature. Let me tell you why.

Suppose you build an application and run the scanner. You've got a list of vulnerabilities that exist in the application. You wouldn't want this information to get into the hands of any unauthorized person, especially a hacker.

If a hacker did have access to this information, it would just make things easy for them. Even though you would fix the vulnerabilities, the hacker would know which vulnerability was fixed, and that reveals a lot of information about your application. Now, even if a hacker somehow gets access to your email address, they still wouldn't be able to look at the report because it is password protected.

After you've selected the application and filled in other details, click on the START SCAN button to start scanning. Give it some time, and once the scan is complete, the report will be sent to your email address.

Scan report

To view the scan results, you'll have to click on the link sent to your email address. You'll be asked to enter your username and password, and on correct entry, you'll be shown the report.

The result page has four main categories:

  1. Summary

  2. Policy violations

  3. Security issues

  4. License analysis

Let me tell you about each of these.

Summary

Here, you'll see the summary of the results. Obviously, that's self-explanatory. The summary is helpful when you want to have a quick peek of your scan's result.

Under the summary tab, you'll see the scope of analysis, the number of alerts under different categories, and the number of vulnerabilities found under different levels: moderate, severe, or critical. This gives you an idea of how serious the effect of a particular problem can be.

Nexus Vulnerability Scanner Summary

Nexus Vulnerability Scanner Security Issues

Nexus Vulnerability Scanner License Analysis

 

Policy violations

Under this tab, you'll see the details about all the alerts related to policy violations. A policy violation is doing something against the standards of the organization.

The first sub-tab shows you which component contains the problem. This helps in debugging. It wouldn't make a big difference in a small application. However, in a large-scale application, this information will save you time in searching for the component.

Nexus Vulnerability Scanner Security Details

Nexus Vulnerability Scanner Policy Threat 1

Nexus Vulnerability Scanner Policy Threat 2The next sub-tab will show you the policy details. In this case, there are three security issues. You can also see the Common Vulnerabilities and Exposures (CVE) number which would help you learn more about the vulnerability.

Nexus Vulnerability Scanner Policy Threat DetailsThis feature of Sonatype Vulnerability Scanner is one of my favorites. I've used a lot of vulnerability scanners, and most of them just look for vulnerabilities and ignore the policies. This feature will really help you, as a developer, solve policy issues.

Security issues

This is one of the most important parts of the report and the reason why vulnerability scanners are used. The security issues tab lists out the number of issues found, their threat level, the component in which the threat was found, and the vulnerability.

Nexus Vulnerability Scanner Threat Level

One of the things under this tab that I found very informative is the problem code. The problem code is a unique identifier to that particular vulnerability. You'll find this helpful when you want to understand more about that vulnerability. This also helps you understand how that particular vulnerability can be exploited.

If you want to know more about problem codes and have a look at the vulnerability and exploit database, check this link.

To know more about the security issues found by the scanner, you can click on the problem code and it will show you a pop-up with more details.

Vulnerability

Vulnerability Description

License analysis

This tab will display policy violations with regard to the license of the application. Here again, you'll find the details about the component and the policy that is violated.

Nexus Vulnerability Scanner License Analysis-1

Why you should use Sonatype Vulnerability Scanner

As I mentioned earlier, I've used a lot of vulnerability scanners. One major benefit of Sonatype Vulnerability Scanner is that it's one of the lightest scanners. It's just about 40+ MB in size. This makes it easy for you if you want to use the scan on multiple host systems because it doesn't take much time to download. (You can also upload your application to Sonatype Vulnerability Scanner in the cloud if you would prefer not to download the scanner.)

Additionally, installing and setting up the scanner is easy. All you have to do is download and extract. The application is in the form of an executable JAR file.

Also, the results are presented well. As you've seen in the screenshots above, it's very easy to analyze the results. Scanners such as Nmap and Nikto show the results on the terminal by just printing out the vulnerability issue. This looks unpleasant compared to the way Sonatype Vulnerability Scanner displays the results.

And, finally, displaying the level of threat will help you prioritize your tasks when fixing problems.

Overall, Sonatype Vulnerability Scanner is a useful tool, and I'd suggest you try this scan and get the feel of it.

Picture of Omkar Hiremath

Written by Omkar Hiremath

Omkar Hiremath uses his MCA in computer science to share theoretical and demo-based learning on various areas of technology, like ethical hacking, Python, blockchain, and Hadoop.