It is a fact that no software is built from scratch. Almost all of us are using 3rd party libraries to speed up the development lifecycle. Hence it is important to ensure that the open source components used are safe. Otherwise it could be the weakest link. This post introduces the possible integration between Sonatype’s Nexus Lifecycle and Atlassian toolset for DevSecOps.
Sonatype Nexus platform addresses this challenge with earlier detection of security risks/non-compliance.
The products in the suite are
- Nexus Lifecycle scans the open source components used and lists any reported vulnerabilities found. It also provides advice on which version is safe to use and the popularity of the open source components
- Nexus Firewall prevents unauthorised/unsafe open source components from being downloaded from Internet to your artifact repositories like Nexus Repository or Jfrog Artifactory
- Nexus Repository Manager caches the public components locally as well as storing the binary artifacts generated from CI/CD tools
Sonatype is a market leader in this area because comprehensive coverage and higher accuracy (less false positives and less true negatives).
Automated scanning during builds with Bamboo
With the Nexus IQ for Bamboo app, developers can easily add a step to perform the IQ Analysis Task to the Bamboo build plan
With that, it is possible to see the scan results for each build. Developers can do comparison easily from the historical results from the Full Report link.
The Nexus IQ server will only display the latest report for each stage of each application
Policy Violation tracking using Jira
Nexus IQ for Jira app can create Jira issues for selected policy violations.
This allows the developer team to track the task easily and all the discussions and decisions are kept in context within the report.
This reduces duplicate effort and speeds up resolution time by seeing how other teams solved the issue.
The organisation is clearly structured. Each IQ evaluation is a parent issue with each affected component as a subtask.
A possible customisation will be to set the Affected Version(s) field.
Policy Violation Overview in Pull Requests from Bitbucket
The Sonatype Nexus Notifier for Bitbucket displays the Nexus Lifecycle policy evaluation information in pull requests.
With this feature, the gatekeeper can ensure that the changes introduced meet the quality and governance guidelines before merging it to master.
With the various integrations introduced, it is easier to ensure the delivery of quality software by empowering the developers throughout the various stage of development.
Security should be everyone’s responsibility
Share this post
“You are only as good as your tools”
Share this post
We are organising a series of contests for the IT folks in Singapore.
For this month, 10 lucky winners with the correct answers will get to win a Allocacoc PowerCube Remote Original + PowerRemote each.
The submission will close on 31 August 2016 2359hrs Singapore time
Terms and Conditions for the contest
- This contest is open only to citizens and permanent residents of Singapore aged 21 and above.
- No purchase is required. Contestants will have to like our Facebook page
- Limited 1 entry person. Subsequent entries will be disqualified.
- Each correct entry will be limited to 1 lucky draw chance.
- The winners of each lucky draw will be picked from all eligible entries.
- The qualifying period for this draw is 1st August 2016 – 31st August 2016.
- The lucky draw will be conducted electronically on 15th September 2016.
- Winners will be notified by 16th September 2016 via a prize notification email.
- Lucky Draws winner are required to respond within a week from notification date in order to be eligible winners. Winners that do not respond will be forfeited.
- We reserve the rights to deal with all unclaimed prizes in any manner deemed fit.
- Any personal information collected is for the sole purpose of conducting the Contest including the notification of the winners of the Contest. By participating in the Contest, participants consent to the Organiser’s use of their personal information in accordance with the terms and conditions of the Contest.
- We are not a supplier of the product(s) offered and shall not bear any liability in relation thereto.
- Akeles’ decision on all matters relating to the draws shall be final, binding and conclusive and no correspondence will be entertained.
- Participation of the Contest constitutes acceptance of the terms and conditions of the Contest.
Share this post
This short video gives a good introduction on how teams use various Atlassian products to get work done
- Confluence – for team content creation and sharing
- JIRA Software – for team planning and project management
- JIRA Service Desk – for team services and support applications
- HipChat – for team messaging and communications
- Bitbucket – for team code sharing and management
Each of them work well individually and can integrate seamlessly with a consistent user experience and richer feature set