Skip to content
Chrome Plugin for use with Nexus IQ server
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
.vscode tabs not part of hint Jul 8, 2019
Scripts fixing xsrf problem Jul 8, 2019
images
tests Fix PyPi handler for numpy Jul 4, 2019
.gitignore initial check of rewrite, CORS not required Mar 26, 2019
LICENSE initial check of rewrite, CORS not required Mar 26, 2019
README.md Added fine print TOC Jun 11, 2019
iconfinder_11_avatar_2754576.png initial check of rewrite, CORS not required Mar 26, 2019
installed.html initial check of rewrite, CORS not required Mar 26, 2019
manifest.json Fix PyPi handler for numpy Jul 4, 2019
npm-shrinkwrap.json Fix golang, multiple messages bug Jun 11, 2019
options.html
options.js
package.json Fix PyPi handler for numpy Jul 4, 2019
popup.html Updated styling May 6, 2019
styles.css updated Readme for new formats Jun 11, 2019
test.json Fix images and update readme and added Features May 5, 2019

README.md

Chrome Extension for Sonatype Nexus IQ

DepShield Badge CircleCI

Table of Contents

Purpose

To allow you to inspect a package before you download it. The plugin requires a valid Sonatype Nexus Lifecycle instance, which means you must be licensed to use this plugin. The plugin can scan packages at the following repositories:

  1. Java - maven - https://search.maven.org/
  2. Java - maven - https://mvnrepository.com/
  3. JS/Node - npm - https://www.npmjs.com/
  4. .Net - nuget - https://www.nuget.org/
  5. Ruby - rubygems - https://rubygems.org/
  6. Python - pypi - https://pypi.org/
  7. php - packagist/composer/ - https://packagist.org/
  8. R - CRAN - https://cran.r-project.org/
  9. Rust - Crates- https://crates.io/
  10. Golang - Go - https://search.gocenter.io/
  11. Github - any language - https://github.com/jquery/jquery/releases/tag/1.11.1
  12. Nexus Proxy Repos - supported repository formats are maven2, npm, rubygems and nuget e.g. http://nexus:8081/#browse/browse:maven-central:commons-collections%2Fcommons-collections%2F3.2.1
  13. Artifactory Proxy Repos - supported repository formats are maven2 and npm e.g. https://repo.spring.io/webapp/#/artifacts/browse/tree/General/npmjs-cache/parseurl/-/parseurl-1.0.1.tgz
  14. Artifactory Repo lists - e.g. https://repo.spring.io/list/jcenter-cache/org/cloudfoundry/cf-maven-plugin/1.1.3/

Data

The data is sourced from Sonatype Nexus Lifecycle's IQ Server, which accesses the Sonatype Data Services for those supported ecosystems, currently 1-6 & 12-13. Systems 7-11 get their data from Sonatype OSSIndex ( https://ossindex.sonatype.org/ ).

Usage

  1. The install will create a new icon in your Chrome Browser next to the location box.

Extensions Icon Created


2. The plugin will work on any page that matches the URL list above.
3. Navigate to one of the pages that the extension is compatible with (see the detailed list below).
4. Click on the Blue Sonatype Logo...

Extension Lodash 4.17.9


4.1 ...The solution will think for a second and show the Sonatype hexagon log while it retrieves the data...Then show the Data.

Extension Thinking Icon


5. Component Information

Extension Componen Info


6. Security Information The security data is presented in a list with clickable sections for each vulnerability.

Extension Security List


7. Security Details The security details for each vulnerability is available. Click on the reference to display the security details.

Extension Vulnerability Detail


8. Remediation The version history is available for each component.

Extension Version History


9. Remediation Guidance The remediation guidance API has been added. The recommended fix version will be highlighted in green.

Extension Remediation Guidance


10. License Information

Extension Licensing


11. Unsupported page. If you click on an unsupported page then the following screen will appear.

Unsupported Page


Examples

The list of pages that are supported are here.

Java - maven

Pattern - https://search.maven.org/artifact/<group>/<artifact>/<version>/<extension>
e.g. https://search.maven.org/artifact/org.apache.struts/struts2-core/2.3.30/jar

Java - maven

Pattern -https://mvnrepository.com/artifact/<group>/<artifact>/<version>
e.g. https://mvnrepository.com/artifact/commons-collections/commons-collections/3.2.1

JS/Node - npm

Pattern - https://www.npmjs.com/package/<package>
e.g. https://www.npmjs.com/package/lodash/
and
Pattern - https://www.npmjs.com/package/<package>/v/<version>
e.g. https://www.npmjs.com/package/lodash/v/4.17.9

DotNet - nuget

Pattern - https://www.nuget.org/packages/<package>/<version>
e.g. https://www.nuget.org/packages/LibGit2Sharp/0.20.1

Ruby - rubygems

Pattern - https://rubygems.org/gems/<package>
e.g. https://rubygems.org/gems/bundler

Python - pypi

Pattern - https://pypi.org/<package>/
e.g. https://pypi.org/project/Django/
or Pattern - https://pypi.org/<package>/<version>/
e.g. https://pypi.org/project/Django/1.6/

php - packagist/composer/

Pattern - https://packagist.org/
e.g. https://packagist.org/packages/drupal/drupal

R - CRAN

Pattern - https://cran.r-project.org/
e.g. https://cran.r-project.org/web/packages/A3/index.html

Rust - Crates

Pattern - https://crates.io/
e.g. https://crates.io/crates/random

Golang - Gocenter

https://search.gocenter.io/
e.g. https://search.gocenter.io/github.com~2Fetcd-io~2Fetcd/versions

Github - any language supported by OSSIndex but only supports the releases tag at this stage

https://github.com/jquery/jquery/releases/tag/1.11.1

NexusRepo - npm, maven2 and rubygems

e.g. http://nexus:8081/#browse/browse:rubygems-proxy:nexus%2F1.4.0%2Fnexus-1.4.0.gem

Installation

  1. Download the plugin from GitHub git clone https://github.com/sonatype-nexus-community/nexus-iq-chrome-extension.git
  2. Open Chrome Browser
  3. Click on the three dots, then More Tools, then Extensions

drawing


4. Click on load unpacked (requires "Developper Mode" to be enabled)

drawing


drawing


5. Navigate to the folder where you downloaded the plugin from GitHub onto your local machine.

drawing


6. You will be prompted to enter your login details. (Important: Please note that this version stores your details in plain text in Chrome Storage. We are investigated secure storage but at this time we do not support it.)

drawing


7. Select an Application to link to this plugin. The application is required to perform the advanced history and remediation scanning now available.

drawing


8. Click Save to save your credentials.
  1. You will be advised that your details are saved. Click Close when you are done and You will be taken back to the Extensions Install screen in Chrome. Close the screen and begin using.
  2. The installer will have created a new icon in your Chrome Menu Bar.

drawing


Uninstall

If you do not want to use the extension then you can right click on the icon and choose Remove from Chrome
drawing

Version History

No longer documented here. Go to the releases tab

Version 1.7.7

  • Bug fix whereby sometimes the Waiting page would sit there for ever. Due to content script not being injected. Seems the content script is always injected now as I inject it with code rather than in the manifest.json declaration

Version 1.7.6

  • Release fixes

Version 1.7.5

  • Added README.md

Version 1.7.4-Styling

  • Styling of User interface

Version 1.7.3-All URLS

  • Supports running IQ Server on any URL
  • Fixed various bugs

Version 1.7.2-added new formats

  • added new formats
  • Fixed various bugs
  • Added unit tests
Formats/package manager pages supported as of 1.7.2

Version 1.7.1 - Fixed popup

  • Fixed popup logic bug.
  • Began adding testing

Version 1.7 - initial release

Complete rewrite to fix cookie problem with calling Nexus IQ Server. I have decided the best way to fix the security issues for now is to limit access to http://iq-server:8070. So you will have to alias your localhost as iq-server in your /etc/hosts/ file to use this plugin for now. I will think about a change which gives access to all URLS like so below

Add *://*/* to permissions section like so

"permissions": [ "*://*/*",

This would then mean you would not need to alias Nexus IQ.

Supports scanning components in the following repos

The Fine Print

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

Remember:

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to chrome-extension support in regard to this project
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all:

Have fun creating and using chrome-extension, we are glad to have you here!

You can’t perform that action at this time.