chore(advisor)!: Remove the NexusIQ advisor

The NexusIQ advisor was originally created to assist with a migration
away from that commercial product. As that migration completed
successfully and no maintainer has access to a NexusIQ instance anymore,
it becomes infeasible to maintain.

So remove the NexusIQ advisor and replace various mentions, e.g. in
tests, with the similar but public OSSIndex advisor.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>

Author: sschuberth

.ort.yml

@@ -56,11 +56,6 @@ resolutions:
       This vulnerability is triggered by the org.springframework:spring-beans package which comes as a transitive
       dependency of the Jira REST client used by the notifier. The vulnerability applies only to Spring MVC or Spring
       WebFlux applications; so it is ineffective for the current usage scenario.
-  - id: "sonatype-2022-1764"
-    reason: "INEFFECTIVE_VULNERABILITY"
-    comment: >-
-      This is a duplicate for CVE-2022-22965 reported by Sonatype NexusIQ, as Sonatype reported this issue before a
-      CVE ID was officially released.
   - id: "CVE-2016-7954"
     reason: "INEFFECTIVE_VULNERABILITY"
     comment: >-

cli/src/funTest/assets/semver4j-ort-result.yml

@@ -374,26 +374,54 @@ advisor:
     tool_versions: {}
   config:
     config:
-      NexusIQ:
+      OssIndex:
         options:
-          server_url: "https://oss-review-toolkit.org"
-          browse_url: "https://oss-review-toolkit.org"
+          serverUrl: "https://ossindex.sonatype.org"
         secrets:
-          username: "user"
+          username: "username"
+          password: "password"
   results:
     Maven:junit:junit:4.12:
     - advisor:
-        name: "NexusIQ"
+        name: "OSSIndex"
         capabilities:
         - "VULNERABILITIES"
       summary:
-        start_time: "2021-04-29T14:54:17.322191Z"
-        end_time: "2021-04-29T14:54:18.966672Z"
+        start_time: "2024-09-09T09:06:07.446242337Z"
+        end_time: "2024-09-09T09:06:08.652601586Z"
       vulnerabilities:
       - id: "CVE-2020-15250"
+        summary: "[CVE-2020-15250] CWE-200: Information Exposure"
+        description: "In JUnit4 from version 4.7 and before 4.13.1, the test rule\
+          \ TemporaryFolder contains a local information disclosure vulnerability.\
+          \ On Unix like systems, the system's temporary directory is shared between\
+          \ all users on that system. Because of this, when files and directories\
+          \ are written into this directory they are, by default, readable by other\
+          \ users on that same system. This vulnerability does not allow other users\
+          \ to overwrite the contents of these directories or files. This is purely\
+          \ an information disclosure vulnerability. This vulnerability impacts you\
+          \ if the JUnit tests write sensitive information, like API keys or passwords,\
+          \ into the temporary folder, and the JUnit tests execute in an environment\
+          \ where the OS has other untrusted users. Because certain JDK file system\
+          \ APIs were only added in JDK 1.7, this this fix is dependent upon the version\
+          \ of the JDK you are using. For Java 1.7 and higher users: this vulnerability\
+          \ is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available,\
+          \ you must use the workaround below. If you are unable to patch, or are\
+          \ stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment\
+          \ variable to a directory that is exclusively owned by the executing user\
+          \ will fix this vulnerability. For more information, including an example\
+          \ of vulnerable code, see the referenced GitHub Security Advisory."
         references:
-        - url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250"
-          scoring_system: "CVSS2"
+        - url: "https://ossindex.sonatype.org/vulnerability/CVE-2020-15250?component-type=maven&component-name=junit%2Fjunit&utm_source=okhttp&utm_medium=integration&utm_content=4.12.0"
+          scoring_system: "CVSS:3.1"
+          severity: "MEDIUM"
+          score: 5.5
+        - url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15250"
+          scoring_system: "CVSS:3.1"
+          severity: "MEDIUM"
+          score: 5.5
+        - url: "https://github.com/advisories/GHSA-269g-pwp5-87pp"
+          scoring_system: "CVSS:3.1"
           severity: "MEDIUM"
           score: 5.5
 evaluator: null

clients/nexus-iq/build.gradle.kts

@@ -215,7 +215,7 @@ fun RuleSet.vulnerabilityInPackageRule() = packageRule("VULNERABILITY_IN_PACKAGE
 
 fun RuleSet.highSeverityVulnerabilityInPackageRule() = packageRule("HIGH_SEVERITY_VULNERABILITY_IN_PACKAGE") {
     val scoreThreshold = 5.0f
-    val scoringSystem = "CVSS2"
+    val scoringSystem = "CVSS:3.1"
 
     require {
         -isExcluded()

clients/nexus-iq/src/main/kotlin/NexusIqService.kt

@@ -25,7 +25,7 @@ complete -c ort -n "__fish_seen_subcommand_from advise" -l output-dir -s o -r -F
 complete -c ort -n "__fish_seen_subcommand_from advise" -l output-formats -s f -r -fa "JSON YAML" -d 'The list of output formats to be used for the ORT result file(s).'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l label -s l -r -d 'Set a label in the ORT result, overwriting any existing label of the same name. Can be used multiple times. For example: --label distribution=external'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l resolutions-file -r -F -d 'A file containing issue and rule violation resolutions.'
-complete -c ort -n "__fish_seen_subcommand_from advise" -l advisors -s a -r -d 'The comma-separated advisors to use, any of [NexusIQ, OSSIndex, OSV, VulnerableCode].'
+complete -c ort -n "__fish_seen_subcommand_from advise" -l advisors -s a -r -d 'The comma-separated advisors to use, any of [OSSIndex, OSV, VulnerableCode].'
 complete -c ort -n "__fish_seen_subcommand_from advise" -l skip-excluded -d 'Do not check excluded projects or packages.'
 complete -c ort -n "__fish_seen_subcommand_from advise" -s h -l help -d 'Show this message and exit'
 

clients/nexus-iq/src/test/kotlin/NexusIqServiceTest.kt

@@ -136,14 +136,6 @@ ort:
         secrets:
           token: githubAccessToken
 
-      NexusIQ:
-        options:
-          serverUrl: 'https://rest-api-url-of-your-nexus-iq-server'
-          browseUrl: 'https://web-browsing-url-of-your-nexus-iq-server'
-        secrets:
-          username: username
-          password: password
-
       OssIndex:
         options:
           serverUrl: 'https://ossindex.sonatype.org/'

examples/example.rules.kts

@@ -143,18 +143,6 @@ class OrtConfigurationTest : WordSpec({
                         )
                     }
 
-                    get("NexusIQ") shouldNotBeNull {
-                        options shouldContainExactly mapOf(
-                            "serverUrl" to "https://rest-api-url-of-your-nexus-iq-server",
-                            "browseUrl" to "https://web-browsing-url-of-your-nexus-iq-server"
-                        )
-
-                        secrets shouldContainExactly mapOf(
-                            "username" to "username",
-                            "password" to "password"
-                        )
-                    }
-
                     get("OssIndex") shouldNotBeNull {
                         options shouldContainExactly mapOf(
                             "serverUrl" to "https://ossindex.sonatype.org/"

integrations/completions/ort-completion.fish

@@ -770,10 +770,6 @@ advisor:
     tool_versions: {}
   config:
     config:
-      NexusIQ:
-        options:
-          server_url: "https://rest-api-url-of-your-nexus-iq-server"
-          browse_url: "https://web-browsing-url-of-your-nexus-iq-server"
       Vulnerable_code:
         options:
           server_url: "http://localhost:8000"

model/src/main/resources/reference.yml

@@ -770,10 +770,6 @@ advisor:
     tool_versions: {}
   config:
     config:
-      NexusIQ:
-        options:
-          server_url: "https://rest-api-url-of-your-nexus-iq-server"
-          browse_url: "https://web-browsing-url-of-your-nexus-iq-server"
       Vulnerable_code:
         options:
           server_url: "http://localhost:8000"

model/src/test/kotlin/config/OrtConfigurationTest.kt

@@ -770,13 +770,12 @@ advisor:
     tool_versions: {}
   config:
     config:
-      NexusIQ:
+      OssIndex:
         options:
-          server_url: "https://rest-api-url-of-your-nexus-iq-server"
-          browse_url: "https://web-browsing-url-of-your-nexus-iq-server"
-      Vulnerable_code:
-        options:
-          server_url: "http://localhost:8000"
+          serverUrl: "https://ossindex.sonatype.org"
+        secrets:
+          username: "username"
+          password: "password"
   results:
     Maven:org.apache.commons:commons-text:1.1:
     - advisor:

plugins/advisors/nexus-iq/build.gradle.kts

@@ -30,7 +30,6 @@ include(":clients:bazel-module-registry")
 include(":clients:clearly-defined")
 include(":clients:dos")
 include(":clients:fossid-webapp")
-include(":clients:nexus-iq")
 include(":clients:oss-index")
 include(":clients:osv")
 include(":clients:vulnerable-code")
@@ -53,7 +52,6 @@ project(":clients:bazel-module-registry").name = "bazel-module-registry-client"
 project(":clients:clearly-defined").name = "clearly-defined-client"
 project(":clients:dos").name = "dos-client"
 project(":clients:fossid-webapp").name = "fossid-webapp-client"
-project(":clients:nexus-iq").name = "nexus-iq-client"
 project(":clients:oss-index").name = "oss-index-client"
 project(":clients:osv").name = "osv-client"
 project(":clients:vulnerable-code").name = "vulnerable-code-client"

plugins/advisors/nexus-iq/src/main/kotlin/NexusIq.kt

@@ -14,22 +14,6 @@ The providers require specific configuration in the [ORT configuration file](htt
 When executing the advisor, the providers to enable are selected with the `--advisors` option (or its short alias `-a`); here a comma-separated list with provider IDs is expected.
 The following sections describe the providers supported by the advisor:
 
-## NexusIQ
-
-A security data provider that queries [Nexus IQ Server](https://help.sonatype.com/iqserver).
-In the configuration, the URL of the Nexus IQ Server the credentials must be provided:
-
-```yaml
-ort:
-  advisor:
-    nexusIq:
-      serverUrl: "https://nexusiq.ossreviewtoolkit.org"
-      username: myUser
-      password: myPassword
-```
-
-To enable this provider, pass `-a NexusIQ` on the command line.
-
 ## OSS Index
 
 This vulnerability provider does not require any further configuration as it uses the public service at https://ossindex.sonatype.org/.