How to integrate Sonatype Nexus Lifecycle with Atlassian Tools

25 February 2020
Comments are off for this post

Introduction

It is a fact that no software is built from scratch. Almost all of us are using 3rd party libraries to speed up the development lifecycle. Hence it is important to ensure that the open source components used are safe. Otherwise it could be the weakest link. This post introduces the possible integration between Sonatype’s Nexus Lifecycle and Atlassian toolset for DevSecOps.

Sonatype Nexus platform addresses this challenge with earlier detection of security risks/non-compliance.

Sandbox Application Build Report

The products in the suite are

  • Nexus Lifecycle scans the open source components used and lists any reported vulnerabilities found. It also provides advice on which version is safe to use and the popularity of the open source components
  • Nexus Firewall prevents unauthorised/unsafe open source components from being downloaded from Internet to your artifact repositories like Nexus Repository or Jfrog Artifactory
  • Nexus Repository Manager caches the public components locally as well as storing the binary artifacts generated from CI/CD tools

Sonatype is a market leader in this area because comprehensive coverage and higher accuracy (less false positives and less true negatives).

Integrations

Automated scanning during builds with Bamboo

With the Nexus IQ for Bamboo app, developers can easily add a step to perform the IQ Analysis Task to the Bamboo build plan

Sonatype Task in Bamboo

Configure the Sonatype task in Bamboo

With that, it is possible to see the scan results for each build. Developers can do comparison easily from the historical results from the Full Report link.
The Nexus IQ server will only display the latest report for each stage of each application

See the IQ Policy Evaluation results in Bamboo

Policy Violation tracking using Jira

Nexus IQ for Jira app can create Jira issues for selected policy violations.
This allows the developer team to track the task easily and all the discussions and decisions are kept in context within the report.
This reduces duplicate effort and speeds up resolution time by seeing how other teams solved the issue.

Screenshot of Jira triggered by IQ Evaluation

The organisation is clearly structured. Each IQ evaluation is a parent issue with each affected component as a subtask.

A possible customisation will be to set the Affected Version(s) field.

Policy Violation Overview in Pull Requests from Bitbucket

The Sonatype Nexus Notifier for Bitbucket displays the Nexus Lifecycle policy evaluation information in pull requests.
With this feature, the gatekeeper can ensure that the changes introduced meet the quality and governance guidelines before merging it to master.

Display the Policy Violation found in Bitbucket

Conclusion

With the various integrations introduced, it is easier to ensure the delivery of quality software by empowering the developers throughout the various stage of development.

Security should be everyone’s responsibility