To allow you to inspect a package before you download it. The plugin requires a valid Sonatype Nexus Lifecycle instance, which means you must be licensed to use this plugin. The plugin can scan packages at the following repositories:
- Java - maven - https://search.maven.org/
- Java - maven - https://mvnrepository.com/
- JS/Node - npm - https://www.npmjs.com/
- .Net - nuget - https://www.nuget.org/
- Ruby - rubygems - https://rubygems.org/
- Python - pypi - https://pypi.org/
- php - packagist/composer/ - https://packagist.org/
- R - CRAN - https://cran.r-project.org/
- Rust - Crates- https://crates.io/
- Golang - Go - https://gocenter.jfrog.com/
The data is sourced from Lifecycle's IQ Server, which accesses the Sonatype Data Services for those supported ecosystems, currently 1-6. Systems 7-10 get their data from Sonatype OSSIndex ( https://ossindex.sonatype.org/ ).
- The install will create a new icon in your Chrome Browser next to the location box.
-
The plugin will work on any new page opened after install. It will not work on pages already opened at time of install.
-
Navigate to one of the pages that the extension is compatible with (see the detailed list below).
-
Click on the Blue Sonatype Logo...
4.1 ...The solution will think for a second...Then show the Data.
5. Component Information
6. License Information
7. Security Information The security data is presented in a list with clickable sections for each vulnerability.
8. Security Details The security details for each vulnerability is available. Click on the reference to display the security details.
9. Version History The version history is available for each component.
10. Remediation Guidance The remediation guidance API has been added. The recommended fix version will be highlighted in green.
The list of pages that are supported are here.
Pattern - https://search.maven.org/artifact/<group>/<artifact>/<version>/<extension>
e.g. https://search.maven.org/artifact/org.apache.struts/struts2-core/2.3.30/jar
Pattern -https://mvnrepository.com/artifact/<group>/<artifact>/<version>
e.g. https://mvnrepository.com/artifact/commons-collections/commons-collections/3.2.1
Pattern - https://www.npmjs.com/package/<package>
e.g. https://www.npmjs.com/package/lodash/
and
Pattern - https://www.npmjs.com/package/<package>/v/<version>
e.g. https://www.npmjs.com/package/lodash/v/4.17.9
Pattern - https://www.nuget.org/packages/<package>/<version>
e.g. https://www.nuget.org/packages/LibGit2Sharp/0.20.1
Pattern - https://rubygems.org/gems/<package>
e.g. https://rubygems.org/gems/bundler
Pattern - https://pypi.org/<package>/
e.g. https://pypi.org/project/Django/
or Pattern - https://pypi.org/<package>/<version>/
e.g. https://pypi.org/project/Django/1.6/
Pattern - https://packagist.org/
e.g. https://packagist.org/packages/drupal/drupal
Pattern - https://cran.r-project.org/
e.g. https://cran.r-project.org/web/packages/A3/index.html
Pattern - https://crates.io/
e.g. https://crates.io/crates/random
https://search.gocenter.io/
e.g. https://search.gocenter.io/github.com~2Fjbenet~2Fgo-random/versions
https://github.com/jquery/jquery/releases/tag/1.11.1
- Download the plugin from GitHub
git clone https://github.com/sonatype-nexus-community/nexus-iq-chrome-extension.git - Open Chrome Browser
- Click on the three dots, then More Tools, then Extensions
4. Click on load unpacked (requires "Developper Mode" to be enabled)
5. Navigate to the folder where you downloaded the plugin from GitHub onto your local machine.
6. You will be prompted to enter your login details. (Important: Please note that this version stores your details in plain text in Chrome Storage. We are investigated secure storage but at this time we do not support it.)
7. Select an Application to link to this plugin. The application is required to perform the advanced history and remediation scanning now available.
8. Click Save to save your credentials.
- You will be advised that your details are saved. Click Close when you are done and You will be taken back to the Extensions Install screen in Chrome. Close the screen and begin using.
- The installer will have created a new icon in your Chrome Menu Bar.
If you do not want to use the extension then you can right click on the icon and choose Remove from Chrome
No longer documented here. Go to the releases tab
- Bug fix whereby sometimes the Waiting page would sit there for ever. Due to content script not being injected. Seems the content script is always injected now as I inject it with code rather than in the manifest.json declaration
- Release fixes
- Added README.md
- Styling of User interface
- Supports running IQ Server on any URL
- Fixed various bugs
- added new formats
- Fixed various bugs
- Added unit tests
- Java - maven - https://search.maven.org/
- Java - maven - https://mvnrepository.com/
- JS/Node - npm - https://www.npmjs.com/
- .Net - nuget - https://www.nuget.org/
- Ruby - rubygems - https://rubygems.org/
- Python - pypi - https://pypi.org/
- php - packagist/composer/ - https://packagist.org/
- R - CRAN - https://cran.r-project.org/
- Rust - Crates- https://crates.io/
- Golang - Go - https://gocenter.jfrog.com/
- Fixed popup logic bug.
- Began adding testing
Complete rewrite to fix cookie problem with calling Nexus IQ Server. I have decided the best way to fix the security issues for now is to limit access to http://iq-server:8070. So you will have to alias your localhost as iq-server in your /etc/hosts/ file to use this plugin for now. I will think about a change which gives access to all URLS like so below
Add *://*/* to permissions section like so
"permissions": [ "*://*/*",
This would then mean you would not need to alias Nexus IQ.
Supports scanning components in the following repos