Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Chrome Extension for Sonatype Nexus IQ

DepShield Badge CircleCI


Table of Contents


To allow you to inspect a package before you download it. The plugin requires a valid Sonatype Nexus Lifecycle instance, which means you must be licensed to use this plugin.

The plugin can scan packages at the following repositories:

  1. .Net – NuGet –
  2. Alpine – Linux –
  3. Chocolatey – Windows –
  4. Clojars – Clojure –
  5. CocoaPods – iOS –
  6. Conan – C/C++ –
  7. Conda – Python –
  8. Debian – Linux –
  9. Debian – Linux –
  10. GitHub – releases –*/releases/tag/*
  11. Golang – Go –
  12. Java – Maven –
  13. Java – Maven –
  14. Java – Maven –
  15. Java – Maven –
  16. Java – Maven –
  17. JavaScript/Node – npm –
  18. PHP – Packagist/composer –
  19. Python – PyPI –
  20. R – CRAN – https://cran.r–
  21. Ruby – RubyGems –
  22. Rust – Crates –
  23. Nexus Proxy Repos – supported repository formats are maven2, npm, rubygems and nuget e.g. http://nexus:8081/#browse/browse:maven–central:commons–collections%2Fcommons–collections%2F3.2.1
  24. Artifactory Proxy Repos – supported repository formats are maven2 and npm e.g. https://artifactory-server/webapp/#/artifacts/browse/tree/General/npmjs–cache/parseurl/–/parseurl–1.0.1.tgz
  25. Artifactory Repo lists – e.g.–cache/org/cloudfoundry/cf–maven–plugin/1.1.3/


Sonatype Nexus Lifecycle nexus-iq-chrome-extension


The data is sourced from Sonatype Nexus Lifecycle's IQ Server, which accesses the Sonatype Data Services for those supported ecosystems. For some repositories e.g. Chocolatey, the extension gets its data from Sonatype OSSIndex ( ).


When you browse to a website that is covered by the tool, such as Maven Central and click on the plugin, it will open with the Sonatype Lifecycle data relevant to that library.

Main icon

Open Plugin

Remediation Guidance

  1. The install will create a new icon in your Chrome Browser next to the location box. Extensions Icon Created
  2. The plugin will work on any page that matches the URL list above.
  3. Navigate to one of the pages that the extension is compatible with (see the detailed list below).
  4. Click on the blue Sonatype logo...
    Extension Lodash 4.17.9
    4.1 ...The solution will think for a second and show the Sonatype hexagon logo while it retrieves the data...Then show the Data.
    Extension Thinking Icon
  5. Component Information
    Extension Componen Info
  6. Security Information
    The security data is presented in a list with clickable sections for each vulnerability.
    Extension Security List
  7. Security Details
    The security details for each vulnerability is available. Click on the reference to display the security details.
    Extension Vulnerability Detail
  8. Remediation
    The version history is available for each component.
    Extension Version History
  9. Remediation Guidance
    The remediation guidance API has been added. The recommended fix version will be listed at the top of the screen.
  10. License Information
    Extension Licensing
  11. Unsupported Page
    If you click on an unsupported page then the following screen will appear. Unsupported Page


The list of pages that are supported are here:

  1. Alpine – Linux –
  2. Chocolatey – Windows –
  3. Clojars – Clojure –
  4. Cocoa pods – iOS –
  5. Conan – C/C++ –
  6. Conda – Python –
  7. Debian – Linux –
  8. Debian – Linux –

dotNet - nuget

Pattern -<package>/<version>

Github - any language supported by OSSIndex but only supports the releases tag at this stage

Golang - Gocenter

Java - Maven

Pattern -<group>/<artifact>/<version>/<extension>

Pattern -<group>/<artifact>/<version>

Pattern -<group>/<artifact>/<version>/

Pattern -<group>/<artifact>/<version>/

JS/Node - npm

Pattern -<package>
Pattern -<package>/v/<version>

PHP - Packagist/Composer

Pattern -

Ruby - rubygems

Pattern -<package>

Python - pypi

Pattern -<package>/
or Pattern -<package>/<version>/


Pattern -

  1. Ruby – RubyGems –

Rust - Crates

Pattern -

NexusRepo - npm, Maven and rubygems

e.g. http://nexus:8081/#browse/browse:rubygems-proxy:nexus%2F1.4.0%2Fnexus-1.4.0.gem



  1. Install from Chrome Store
  2. Click Add to Chrome

Note: You will be asked to "Add Sonatype Nexus IQ Extension". Click "Add extension"

  1. You will be prompted to enter your login details. (Important: Please note that this version stores your details in plain text in Chrome Storage. We are investigated secure storage but at this time we do not support it. You can use a token for your password though.
  2. Select an Application to link to this plugin. The application is required to perform the advanced history and remediation scanning now available.
  3. Click Save to save your credentials.
  4. You will be advised that your details are saved. Click Close when you are done and You will be taken back to the Extensions Install screen in Chrome. Close the screen and begin using.
  5. The installer will have created a new icon in your Chrome Menu Bar.

Developer mode

  1. Download the plugin from GitHub git clone
  2. Open Chrome Browser.
  3. Click on the three dots, then More Tools, then Extensions.
  4. Click on load unpacked (requires "Developer Mode" to be enabled). drawing
  5. Navigate to the folder where you downloaded the plugin from GitHub onto your local machine. Select the src subdirectory and then click select
  6. Configure the plugin like in the Production mode...


If you do not want to use the extension then you can right click on the icon and choose Remove from Chrome

Version History

Go to the changelog


Please read the Contributing guide

The Fine Print

Supported by Sonatype