Sonatype Nexus IQ Lifecycle SCA Scan

ZeroNorth Experts
,
1

T he ZeroNorth platform orchestrate scans with Sonatype Nexus IQ Lifecycle to help identify open-source security risks.

Prerequisites

  • ZeroNorth platform license and credentials
  • Valid credentials for the Sonatype NexusIQ Lifecycle scanning server/service

Activate the “nexusiq-default” Scenario

To activate the “Sonatype” Scenario, refer to the article Activate Scenario - Sonatype NexusIQ Lifecycle .

Add Integration to Represent a Target Type

If you already have an Integration added with the Integration Type as “Artifact”, you can use the existing Integration for Sonatype. Otherwise, create a new Integration as follows:

  1. Go to zn ADM > Integrations .
  2. Click +Add Integration button on the top right of the screen.
  3. Set Initial Scans From as desired (see the related article Add an Integration (with GitHub example) for examples).
  4. Select Type as “Artifact”.
  5. Click Create Integration.

Add Target to be Scanned

Next, add a Target to the Integration:

  1. Go to znOPS > Targets .
  2. Click +Add Target button on the top right of the screen.
  3. Select the “Artifact” type Integration from above.
  4. Click Save .

Add a Policy for the Scan

  1. Go to znOPS > Policies .
  2. Click on the +Add Policy button on the bottom right of the screen.
  3. Enter the Name and optionally a Description .
  4. Select the previously created Integration and Target.
  5. Select the “Sonatype” Scenario that was previously activated.
  6. For Policy Type and related fields:
  • For a standard orchestrated scan with your Sonatype server, select “Orchestrated Scan” for Policy Type and enter a Product Name . The specified product name must not already exist in the Sonatype server.
    image
    image1084×655 62.5 KB
  • To import existing Sonatype scan results from your Sonatype server into ZeroNorth account, set Policy Type as “Data Load” and Application Lookup Strategy as “Discover Existing Applications”. Select the application from the resulting list. You can also discover the application by Public/Private ID.
    image
    image926×626 63.8 KB
  1. Click Save to create a new policy.

Running the Policy

As with most ZeroNorth scan Policies for Artifact type Targets, the scan is typically initiated from the CI/CD environment via one one of the following approaches: