General Knowledge:

1. What is Sonatype Nexus, and why is it used?
   • Sonatype Nexus is a repository manager that aids in storing, managing, and distributing software components and dependencies. It ensures efficient and secure access to libraries and components.
2. Name some popular package formats supported by Nexus.
   • Nexus supports various package formats such as Maven, npm, NuGet, PyPI, and more.
3. What are the benefits of using Nexus Repository Manager?
   • Benefits include centralized artifact management, improved build performance, dependency security, and reduced risk of external repository downtime.
4. Explain the concept of a repository proxy.
   • A repository proxy in Nexus serves as a cache for remote repositories. It fetches and stores artifacts from external sources, improving performance and reliability.
5. How does Nexus contribute to secure software development?
   • Nexus integrates with vulnerability scanning tools, enforces access controls, and facilitates the use of trusted artifacts, reducing security risks.
6. What are repository groups, and why are they useful?
   • Repository groups combine multiple repositories into a single virtual repository. This simplifies configuration and provides a unified view of artifacts.
7. Describe the purpose of repository health checks.
   • Repository health checks monitor the state of repositories, identifying issues and ensuring they are properly maintained.
8. What is the difference between Nexus OSS (Open Source) and Nexus Pro (Professional)?
   • Nexus OSS is the free, open-source version, while Nexus Pro is the commercial version with advanced features like support for staging and promotions.
9. How can you ensure efficient artifact search and retrieval in Nexus?
   • By using Nexus’ search functionality and by organizing artifacts with appropriate naming and versioning conventions.
10. What is Nexus Smart Proxy and how does it enhance performance?
    • Nexus Smart Proxy extends repository proxies to remote locations, providing local caching and faster access to artifacts for geographically distributed teams.

Installation and Configuration:

11. What are the steps to install Nexus Repository Manager?
    • Download the distribution, extract files, configure repository storage, and start the Nexus server.
12. How can you change the default port that Nexus listens on?
    • Modify the nexus.properties file and change the value of the application-port property.
13. Explain the concept of Blob Stores in Nexus.
    • Blob Stores manage the storage of artifact binary data in Nexus, including proxy, hosted, and group repositories.
14. What is the purpose of the Nexus Configuration Management section?
    • It allows you to manage configuration settings, including security, LDAP, and repository-specific configurations.
15. How can you create a new repository in Nexus?
    • Navigate to the “Repositories” section, click “Create Repository,” select the repository type, and provide the required configuration details.

Artifact Management:

16. What is a snapshot repository, and how does it differ from a release repository?
    • A snapshot repository stores snapshots of artifacts under development, while a release repository contains stable, versioned releases.
17. How can you deploy artifacts to a Nexus repository using Maven?
    • Update your Maven settings.xml file with repository credentials, then use the mvn deploy command during the build process.
18. What is the purpose of artifact cleanup policies in Nexus?
    • Artifact cleanup policies help manage storage space by automatically removing older artifacts based on specified criteria.
19. Explain how Nexus ensures the consistency of Maven snapshots.
    • Nexus uses a timestamped directory structure to store snapshot artifacts, preventing overwrite and ensuring uniqueness.
20. How can you promote an artifact from a staging repository to a release repository?
    • Nexus Pro offers a staging suite that facilitates the promotion of artifacts through testing and quality assurance phases.

Security and Access Control:

21. What is role-based access control (RBAC) in Nexus?
    • RBAC in Nexus allows administrators to assign specific roles to users, determining their permissions within the repository manager.
22. How can you integrate Nexus with LDAP for user authentication?
    • Configure LDAP settings in Nexus’ security configuration, allowing users to authenticate using their LDAP credentials.
23. Explain how you can control access to specific repositories in Nexus.
    • By setting repository-level permissions and associating them with specific roles, you can control who can access or modify artifacts.
24. What is a privilege in Nexus, and how does it relate to security?
    • A privilege in Nexus defines a set of actions that a user can perform. It’s a key component in fine-tuning access control.
25. Describe how you can enforce SSL (HTTPS) communication in Nexus.
    • Configure Nexus to run behind a reverse proxy with SSL termination, ensuring encrypted communication.

Integration and Automation:

26. How can you automate the deployment of artifacts to Nexus using Jenkins?
    • Configure a Jenkins build job to build your project and deploy artifacts to Nexus using Maven or another build tool.
27. Explain how you can use Nexus REST API to perform various tasks.
    • The Nexus REST API allows you to programmatically interact with Nexus for tasks like artifact uploads, repository creation, and more.
28. What is a Nexus webhook, and how can you use it for integration?
    • A Nexus webhook is a mechanism for sending event notifications to external systems, allowing integration with other tools.
29. How can you integrate Nexus with CI/CD pipelines to ensure artifact availability?
    • By integrating Nexus into your CI/CD toolchain, you can ensure consistent access to required artifacts during the build and deployment processes.
30. What are repository health checks, and how can you automate them?
    • Repository health checks are automated processes that monitor repository health. You can schedule them to run regularly and ensure repositories are in good condition.

Troubleshooting and Maintenance:

31. Explain a situation where artifact downloads are slow in Nexus and how you would troubleshoot it.
    • This could be due to network issues or misconfigured proxies. Check network connectivity, proxy configurations, and consider using Nexus Smart Proxy for better performance.
32. Describe a scenario where you encounter issues with repository synchronization and how you would resolve it.
    • Check repository proxy settings, ensure remote repositories are accessible, and verify that Nexus is properly configured to retrieve artifacts.
33. How would you handle a situation where Nexus storage is running out of space?
    • Implement artifact cleanup policies to remove old artifacts, consider expanding storage, or optimize storage usage by removing unnecessary artifacts.
34. Explain how you would perform a backup and restore of Nexus configurations and repositories.
    • Regularly back up the nexus-data directory and relevant configuration files. To restore, reinstall Nexus and replace the nexus-data directory.
35. What steps would you take to upgrade Nexus to a newer version?
    • Review the upgrade documentation, back up data, stop the existing Nexus instance, install the new version, and migrate configurations and data.

Best Practices and Optimization:

36. What are some best practices to ensure efficient artifact management in Nexus?
    • Keep repositories organized, use version control, set up access

1. What is Sonatype Nexus?

Sonatype Nexus is a repository manager that organizes, stores, and distributes artifacts needed for development. It can be used to host both public and private software repositories.

2. What are the benefits of using Sonatype Nexus?

Some of the benefits of using Sonatype Nexus include:

• Centralized artifact management: Nexus provides a central location for storing and managing all of your artifacts, which can help to improve efficiency and reduce errors.
• Security: Nexus includes a number of security features to help protect your artifacts from unauthorized access and tampering.
• Compliance: Nexus can help you to comply with industry regulations, such as the OWASP Top 10.
• Scalability: Nexus is designed to be scalable, so it can easily grow with your needs.
• Flexibility: Nexus is highly configurable, so you can tailor it to meet your specific requirements.

3. What are the different types of repositories in Nexus Sonatype?

Nexus Sonatype provides for three different kinds of repositories:

• Proxy repositories: Proxy repositories are used to cache artifacts from remote repositories. This can improve performance by reducing the number of times that artifacts need to be downloaded from the original source.
• Hosted repositories: Hosted repositories are used to store artifacts that are specific to your organization. This can help to improve security and compliance by keeping your artifacts private.
• Virtual repositories: Virtual repositories are used to combine artifacts from multiple repositories. This can be useful for creating a single view of all of your artifacts.

4. What are the different ways to deploy Sonatype Nexus?

Sonatype Nexus can be deployed in a number of ways, including:

• On-premises: Nexus can be installed on your own servers. This gives you the most control over the deployment, but it also requires more resources and maintenance.
• In the cloud: Nexus is available as a cloud-based service. This is a convenient option that requires no upfront investment or maintenance.
• Hybrid: Nexus can be deployed in a hybrid environment, with some components on-premises and others in the cloud. This can be a good option for organizations that need the flexibility of the cloud but also want to retain some control over the deployment.

5. What are the different policies that can be applied to artifacts in Nexus Sonatype?

A number of policies can be applied to artifacts in Nexus Sonatype, including:

• Release policies: Release policies control when an artifact can be released to a repository. This can help to ensure that only stable and tested artifacts are released.
• Snapshot policies: Snapshot policies control when an artifact can be created as a snapshot. This can help to improve the performance of artifact downloads by caching frequently used snapshots.
• Access policies: Access policies control who can access an artifact. This can help to protect sensitive artifacts from unauthorized access.
• Retention policies: Retention policies control how long an artifact is kept in a repository. This can help to free up disk space and reduce the risk of security vulnerabilities.

6. What are the different ways to search for artifacts in Nexus Sonatype?

Artifacts in Nexus Sonatype can be searched by a number of criteria, including:

• Artifact name: This is the most common way to search for artifacts.
• Artifact version: This can be used to search for specific versions of an artifact.
• Artifact group: This can be used to search for artifacts that belong to a specific group.
• Artifact classifier: This can be used to search for artifacts that have a specific classifier.
• Artifact tags: This can be used to search for artifacts that have been tagged with specific keywords.

7. What are the different ways to manage users and permissions in Nexus Sonatype?

Users and permissions in Nexus Sonatype can be managed using the Nexus user interface or the Nexus API. The following permissions can be assigned to users:

• Read: This permission allows users to view artifacts in a repository.
• Write: This permission allows users to add, update, and delete artifacts in a repository.
• Admin: This permission allows users to manage all aspects of a repository, including users, permissions, and policies.

8. What are the different ways to integrate Nexus Sonatype with other tools?

Nexus Sonatype can be integrated with a number of other tools, including:

• CI/CD tools: Nexus Sonatype can be integrated with CI/CD tools to automate the deployment of artifacts.
• Security tools: Nexus Sonatype can be integrated with security tools to scan artifacts for vulnerabilities.
• Compliance tools: Nexus Sonatype can be integrated with compliance tools to help you meet industry regulations.
• Other repository managers: Nexus Sonatype can be integrated with other repository managers to create a unified view of your artifacts.

9. What are the benefits of using a repository manager?

A repository manager is a software application that helps you to store, manage, and distribute artifacts. Artifacts are the files that your software projects need to compile, run, and test. A repository manager can help you to:

• Centralize your artifact storage: This can help you to improve efficiency and reduce errors.
• Protect your artifacts from unauthorized access: A repository manager can help you to secure your artifacts with passwords and other security measures.
• Distribute your artifacts to your developers: A repository manager can make it easy for your developers to download the artifacts they need.
• Track your artifact usage: A repository manager can help you to track which artifacts are being used by your developers and how often they are being used.
• Scan your artifacts for vulnerabilities: A repository manager can scan your artifacts for vulnerabilities and notify you of any potential threats.

10. What are the different types of repository managers?

There are two main types of repository managers: commercial and open source. Commercial repository managers are typically more expensive than open source repository managers, but they often offer more features and support. Open source repository managers are a good option for organizations that want to save money or have specific requirements that are not met by commercial repository managers.

Some popular commercial repository managers include:

• Sonatype Nexus
• Artifactory
• JFrog Artifactory
• Red Hat JBoss Fuse

Some popular open source repository managers include:

• Maven Central
• Artifactory Community Edition
• JFrog Artifactory Community Edition
• Red Hat JBoss Fuse Community Edition

11. What are the best practices for using a repository manager?

The best practices for using a repository manager vary depending on the specific repository manager you are using. However, some general best practices include:

• Regularly scan your artifacts for vulnerabilities: This can help you to identify and fix any security vulnerabilities in your artifacts.
• Use content staging to prevent the release of vulnerable artifacts: Content staging is a feature that allows you to review artifacts before they are released to a repository. This can help you to prevent the release of vulnerable artifacts.
• Configure your repositories to only allow artifacts from trusted sources: This can help to protect your artifacts from unauthorized access.
• Use a password manager to protect your repository credentials: This can help to prevent unauthorized access to your repositories.
• Back up your repository data regularly: This can help you to recover from data loss or corruption.

12. What are the challenges of using a repository manager?

Some of the challenges of using a repository manager include:

• The learning curve: Repository managers can be complex to learn and use.
• The cost: Repository managers can be expensive, especially commercial repository managers.
• The security: Repository managers can be a target for security attacks.
• The scalability: Repository managers need to be scalable to meet the needs of growing organizations.
• The maintenance: Repository managers need to be maintained to ensure that they are running smoothly and securely.

13. What are the future trends for repository managers?

The future trends for repository managers include:

• Increased adoption of cloud-based repository managers: Cloud-based repository managers are becoming more popular because they offer a number of advantages, such as scalability, flexibility, and ease of management.
• Increased integration with other tools: Repository managers are becoming more integrated with other tools, such as CI/CD tools and security tools. This integration can help to improve the efficiency and security of software development.
• Increased focus on security: Repository managers are becoming more focused on security. This is due to the increasing number of security attacks targeting repository managers.
• Increased use of artificial intelligence and machine learning: Artificial intelligence and machine learning are being used to improve the performance and security of repository managers.

14. What are the different ways to configure Nexus Sonatype?

Nexus Sonatype can be configured in a number of ways, including:

• The Nexus user interface: The Nexus user interface is a graphical user interface that allows you to configure Nexus Sonatype.
• The Nexus API: The Nexus API is a programmatic interface that allows you to configure Nexus Sonatype programmatically.
• The Nexus configuration file: The Nexus configuration file is a text file that contains the configuration settings for Nexus Sonatype.

15. What are the different ways to manage users and permissions in Nexus Sonatype?

Users and permissions in Nexus Sonatype can be managed using the Nexus user interface or the Nexus API. The following permissions can be assigned to users:

• Read: This permission allows users to view artifacts in a repository.
• Write: This permission allows users to add, update, and delete artifacts in a repository.
• Admin: This permission allows users to manage all aspects of a repository, including users, permissions, and policies.

16. What are the different ways to integrate Nexus Sonatype with other tools?

Nexus Sonatype can be integrated with a number of other tools, including:

• CI/CD tools: Nexus Sonatype can be integrated with CI/CD tools to automate the deployment of artifacts.
• Security tools: Nexus Sonatype can be integrated with security tools to scan artifacts for vulnerabilities.
• Compliance tools: Nexus Sonatype can be integrated with compliance tools to help you meet industry regulations.
• Other repository managers: Nexus Sonatype can be integrated with other repository managers to create a unified view of your artifacts.

17. What are the different ways to troubleshoot Nexus Sonatype problems?

Nexus Sonatype problems can be troubleshooted in a number of ways, including:

• Checking the Nexus logs: The Nexus logs can provide information about any errors that have occurred.
• Viewing the Nexus status page: The Nexus status page can provide information about the current status of Nexus Sonatype.
• Contacting Sonatype support: Sonatype support can provide assistance with troubleshooting Nexus Sonatype problems.

18. What are the different ways to secure Nexus Sonatype?

Nexus Sonatype can be secured in a number of ways, including:

• Using strong passwords: Strong passwords should be used for all users and accounts.
• Enabling two-factor authentication: Two-factor authentication should be enabled to protect against unauthorized access.
• Restricting access to the Nexus user interface: Access to the Nexus user interface should be restricted to authorized users.
• Using a firewall: A firewall should be used to protect Nexus Sonatype from unauthorized access.
• Keeping Nexus Sonatype up to date: Nexus Sonatype should be kept up to date with the latest security patches.

19. What are the different ways to monitor Nexus Sonatype?

Nexus Sonatype can be monitored in a number of ways, including:

• Checking the Nexus logs: The Nexus logs can provide information about any errors that have occurred.
• Viewing the Nexus status page: The Nexus status page can provide information about the current status of Nexus Sonatype.
• Using a monitoring tool: A monitoring tool can be used to monitor Nexus Sonatype for performance and availability issues.
• Setting up alerts: Alerts can be set up to notify you of any problems with Nexus Sonatype.

20. What are the different ways to back up Nexus Sonatype?

Nexus Sonatype can be backed up in a number of ways, including:

• Backing up the Nexus database: The Nexus database should be backed up regularly to protect against data loss.
• Backing up the Nexus configuration file: The Nexus configuration file should be backed up regularly to protect against configuration changes.
• Backing up the Nexus logs: The Nexus logs should be backed up regularly to troubleshoot problems.
• Using a backup service: A backup service can be used to automate the backup process.

21. What are the different types of vulnerabilities that can be found in artifacts?

There are many different types of vulnerabilities that can be found in artifacts, including:

• Security vulnerabilities: Security vulnerabilities can allow attackers to gain unauthorized access to your systems or data.
• Licensing vulnerabilities: Licensing vulnerabilities can allow you to use software without paying for it.
• Compliance vulnerabilities: Compliance vulnerabilities can prevent you from meeting industry regulations.
• Functionality vulnerabilities: Functionality vulnerabilities can prevent your software from working properly.
• Performance vulnerabilities: Performance vulnerabilities can slow down your software or make it unstable.

22. What are the different ways to scan artifacts for vulnerabilities?

Artifacts can be scanned for vulnerabilities using a variety of tools, including:

• Static analysis tools: Static analysis tools scan artifacts for vulnerabilities without executing them.
• Dynamic analysis tools: Dynamic analysis tools scan artifacts for vulnerabilities by executing them in a controlled environment.
• Hybrid analysis tools: Hybrid analysis tools use a combination of static and dynamic analysis to scan artifacts for vulnerabilities.

23. What are the different ways to remediate vulnerabilities in artifacts?

Vulnerabilities in artifacts can be remediated in a variety of ways, including:

• Applying patches: Patches can be applied to fix security vulnerabilities in artifacts.
• Upgrading to a newer version: Upgrading to a newer version of an artifact can fix security vulnerabilities.
• Removing the artifact: The artifact can be removed from your system if it is not essential.
• Isolating the artifact: The artifact can be isolated from other systems to prevent it from being exploited.

24. What are the different ways to prevent vulnerabilities in artifacts?

Vulnerabilities in artifacts can be prevented in a variety of ways, including:

• Using secure development practices: Secure development practices can help to prevent security vulnerabilities from being introduced into artifacts.
• Using a vulnerability scanner: A vulnerability scanner can be used to scan artifacts for vulnerabilities.
• Keeping artifacts up to date: Artifacts should be kept up to date with the latest security patches.
• Using a secure repository: A secure repository can help to protect artifacts from unauthorized access and tampering.

25. What are the different ways to manage the risks of using artifacts with vulnerabilities?

The risks of using artifacts with vulnerabilities can be managed in a variety of ways, including:

• Assessing the risks: The risks of using artifacts with vulnerabilities should be assessed before they are used.
• Mitigating the risks: The risks of using artifacts with vulnerabilities can be mitigated by using secure development practices, vulnerability scanning, and keeping artifacts up to date.
• Accepting the risks: In some cases, the risks of using artifacts with vulnerabilities may be acceptable.

26. What is the difference between Nexus and Artifactory?

Nexus and Artifactory are both repository managers, but they have some key differences. Nexus is a commercial product that is focused on security and compliance. Artifactory is an open source product that is more focused on flexibility and scalability.

Here is a table summarizing the key differences between Nexus and Artifactory:

Feature	Nexus	Artifactory
Price	Commercial	Open source
Focus	Security and compliance	Flexibility and scalability
Features	Content staging, vulnerability scanning, compliance scanning	Proxy repositories, virtual repositories, built-in Docker registry
Scalability	Horizontally scalable	Vertically scalable
Integrations	CI/CD tools, security tools, compliance tools	CI/CD tools, security tools, compliance tools

27. What are the benefits of using Nexus over Artifactory?

Some of the benefits of using Nexus over Artifactory include:

• More security features: Nexus has more security features than Artifactory, such as content staging and vulnerability scanning.
• More compliance features: Nexus has more compliance features than Artifactory, such as compliance scanning.
• Easier to use: Nexus is easier to use than Artifactory, especially for users who are not familiar with repository managers.
• Better documentation: Nexus has better documentation than Artifactory.
• More support: Nexus has more support than Artifactory, including commercial support.

28. What are the benefits of using Artifactory over Nexus?

Some of the benefits of using Artifactory over Nexus include:

• More flexible: Artifactory is more flexible than Nexus, as it can be scaled vertically or horizontally.
• More scalable: Artifactory can be scaled vertically, which can be useful for organizations with limited resources.
• More integrations: Artifactory has more integrations with other tools than Nexus.
• Open source: Artifactory is open source, which can be a benefit for organizations that want to save money or have specific requirements that are not met by commercial repository managers.

29. Which is better for me, Nexus or Artifactory?

The best choice for you will depend on your specific needs and requirements. If you are looking for a repository manager that is focused on security and compliance, then Nexus is a good choice. If you are looking for a repository manager that is flexible and scalable, then Artifactory is a good choice.

30. What are the challenges of using Nexus or Artifactory?

Some of the challenges of using Nexus or Artifactory include:

• The learning curve: Both Nexus and Artifactory can be complex to learn and use, especially for users who are not familiar with repository managers.
• The cost: Nexus is a commercial product, which can be expensive for some organizations.
• The security: Both Nexus and Artifactory can be a target for security attacks. It is important to take steps to secure your repositories.
• The scalability: Both Nexus and Artifactory can be scaled horizontally, but this can be complex and expensive.

31. What are the best practices for managing Nexus?

Here are some of the best practices for managing Nexus:

• Regularly back up your data: This will help you to recover from data loss or corruption.
• Keep your software up to date: This will help to protect you from security vulnerabilities.
• Monitor your system: This will help you to identify and troubleshoot problems early on.
• Use strong passwords: This will help to protect your system from unauthorized access.
• Enable two-factor authentication: This will add an extra layer of security to your system.
• Restrict access to your system: This will help to prevent unauthorized users from accessing your system.
• Use a firewall: This will help to protect your system from unauthorized access.
• Keep your logs: This will help you to troubleshoot problems and track your system usage.

32. What are the common problems with Nexus?

Here are some of the common problems with Nexus:

• Corrupted data: This can be caused by a variety of factors, such as power outages, hardware failures, or software errors.
• Security vulnerabilities: Nexus can be a target for security attacks. It is important to take steps to secure your system.
• Performance problems: Nexus can become slow or unresponsive if it is not properly configured or managed.
• Configuration errors: Nexus can be configured incorrectly, which can lead to problems.
• Connectivity problems: Nexus can experience connectivity problems, which can prevent users from accessing the system.

33. How do you troubleshoot Nexus problems?

Here are some tips for troubleshooting Nexus problems:

• Check your logs: The logs can provide valuable information about the problem.
• Check your configuration: Make sure that your configuration is correct.
• Restart Nexus: This can sometimes fix problems.
• Upgrade your software: This can fix security vulnerabilities and performance problems.
• Contact support: If you are unable to troubleshoot the problem, contact support for assistance.

34. What are the future trends for Nexus?

Here are some of the future trends for Nexus:

• Increased adoption of cloud-based deployments: Cloud-based deployments are becoming more popular because they offer a number of advantages, such as scalability, flexibility, and ease of management.
• Increased integration with other tools: Nexus is becoming more integrated with other tools, such as CI/CD tools and security tools. This integration can help to improve the efficiency and security of software development.
• Increased focus on security: Nexus is becoming more focused on security. This is due to the increasing number of security attacks targeting repository managers.
• Increased use of artificial intelligence and machine learning: Artificial intelligence and machine learning are being used to improve the performance and security of Nexus.

Security FAQs

How is Lift deployed?

Lift software is delivered as a service. It integrates with your source repository to automatically run at each pull request.

How does Lift work?

Upon each pull request (which Lift monitors via the repo host), Lift clones your repo and runs its analyzers over the code, delivering results as code comments within the repo’s code review tool. Upon completion of the analysis of private repositories, Lift will delete its copy of your repository.

What’s the high-level architecture?

Lift is a container-based platform on Linux running on Amazon Web Services (AWS). The cloud platform integrates directly with repository hosts like Github and requires no installation of code into your environment.

How does Lift handle our source code and other confidential information?

Lift recognizes the value of its customers’ source code and the importance of maintaining confidentiality. Lift retains its customers’ data only to the extent required to deliver its service and for only as long as required to do so. Lift treats its customers’ source code and related information as highly confidential, and cares for it with the same degree of care we use to preserve our own confidentiality. Lift encrypts its data at rest using industry standard encryption and for data in transit, Lift relies upon TLS and shared secrets with GitHub/GitLab/Bitbucket to encrypt source code and other data transmitted to/from Lift. Lift further separates its customers’ data by providing a dedicated single-tenant AWS node for the duration of each analysis. For Lift on-premise deployments, neither your source code nor our analysis results leave the Lift server.

Does Lift process “Personal Data” as defined by GDPR and similar privacy laws?

Lift captures Personal Data solely of its own end-users, i.e. those individual developers with Lift accounts. Specifically, we capture name, email address and other information received from Github through our SSO integration. We retain and use such data only as long as necessary and in compliance with law.

How do you handle authentication and otherwise manage user accounts?

Lift uses authentication either via Sonatype or 3rd party single-sign on (SSO) providers like Github so customers can use their existing accounts on those platforms to log into Lift. User accounts in the Lift platform are associated with those credentials and Lift does not have any accounts of its own.

Why does Lift ask for these permissions on GitHub?

Lift performs a variety of operations depending on what tools it uses to analyze your code.  The permissions requested are:

• GitHub’s text: “User permissions” and “Installing and authorizing sonatype-lift immediately grants these permissions on your account: <name>. – Read access to emails”
  • Reason: to know who you are when you log into the console at https://lift.sonatype.com and to provide email communications regarding the Lift service.

• GitHub’s text: “Read access to members, metadata, organization administration, organization plan, and organization projects”
  • Members: to help grant access to users who visit the console
  • Metadata: For learning default branches and other basic information
  • Organization administration: For allowing administrators to control seat provisioning
  • Organization plan: Unused
  • Organization projects: Unused
• GitHub’s text: “Read and write access to checks, code, commit statuses, issues, pull requests, and security events”
  • Checks: This is a status API allowing CI jobs to report their current status.
  • Code: Read access is needed to scan your code. Write access is used by some tools to (optionally) create new branches and open associated pull requests in order to automatically suggest fixes for code quality and security issues.
  • Commit statuses: This is an API that allows apps like Lift to report the status of an analysis job associated with a pull request.
  • Issues: Allows the app to (optionally) open new GitHub issues as a means of recording and tracking code quality and security issues.
  • Pull requests: Allows the app to (optionally) open new pull requests to automatically suggest fixes for code quality and security issues.
  • Security events: Lift integrates with GitHub’s code scanning dashboard and can upload issues directly to the GitHub code scanning system.

What does Nexus Vulnerability Scanner do?

In minutes you’ll analyze your application and uncover potential security, licensing, and quality problems.

The Summary report you will receive provides a snapshot of the number of components found, as well as the number and types of risks, if any. The Detailed, Full Report provides a specific inventory of components and associated risks, coordinates, etc. See a sample of the full, detailed report.

The report can be used to not only evaluate your own internal applications but also check the quality of the code received from third-party vendors.

How does Nexus Vulnerability Scanner work, and what information is sent to Sonatype?

Nexus Vulnerability Scanner uses short hashes for component identification. In order to best protect your intellectual property, only these limited signatures of your application’s components will be exchanged with the Sonatype Data Service — i.e. no source or binary code is ever exposed, uploaded, or sent to Sonatype. These component signatures are then matched against a database of security, quality, and licensing information in order to generate your comprehensive report.

Here’s an example of what the information transmitted to Sonatype looks like: <item key=”013b4d333e95f3a5ac765fc2a3ab05e9f29d7952″ path=”ch/qos/logback/core/util/Loader.class” sha1=”6cdbcfa9150af71c7b6b3adfbbc1e1e940f9413e” sha1JA001=”2f9768f33c106400ae23863165643d167a25e8ba” sha1JB001=”878d54d1c132ddeee47ec7ebd9cefbd8b31cb5ac” sha1JC001=”f65040a6798ab66c56ce0ef163195454a68c5921″ sha1JD001=”4f093c9bd65a0e6d233171b3362109ab5b372235″/>

The security, safety, and anonymity of your data is our greatest concern, and we take the necessary steps to ensure that.

What types of Applications can I evaluate?

Nexus Vulnerability Scanner currently supports evaluating Java applications (the binary, not the source), which contain Java components/artifacts. In addition to the standard jar, war and ear file types, Nexus Vulnerability Scanner will also analyze these additional file extensions: aar, har, hpi, mar, nbm, rar, sar, tar, tar.bz2, tar.gz, tb2, tbz, tgz, wsr, zip.

How can I identify my proprietary (internally developed) components?

Listing your proprietary packages allows you to specify which components are unique to your organization. By doing this, we will use this information to identify these components in the report as proprietary, helping you focus on external components.

In this field, simply enter the prefix for your package namespace. For example, com.mycompany, which will mark everything found in the path of com/mycompany as a proprietary component. If you wish to enter multiple packages, separate these by a comma or new line break.

Note: These components will still be evaluated and matched accordingly.

How do I use Nexus Vulnerability Scanner?

Evaluating an application is pretty easy, but sometimes can be a little confusing at first.

The most important thing: make sure you are evaluating something that is a Java application (the binary, not the source). Sometimes people try to use a variety of files just to test or try something out. That makes sense, but it won’t produce any results. If you want to test out this tool, try one of these sample files first.

Once you are ready to analyze an application, you will be asked for the following information:

• Email Address: The email address entered here is where we will send a link for your report. It will also serve as your username for accessing the report.
• File to Evaluate: Select a Java Application archive to evaluate. This will typically be a war or zip containing other wars or jars. Run Nexus Vulnerability Scanner on your binary archive and we’ll send you a report with details about the components you’re using.
• Name for Report: Choose a name for your report, such as your application name so you can keep track of analyses conducted for more than one application. If you don’t provide a report name, we’ll just use the name of the file you selected.
• Password: A password is required to help prevent unwanted access to your report. If you have forgotten your password, you can contact our support team for further assistance, or simply re-evaluate your application.
• Proxy Server Settings (optional): Nexus Vulnerability Scanner uses https to communicate with the Sonatype Data Service. If you need to connect through a proxy to browse the web, enter those details here.
• Proprietary Packages (optional): Use this field to give Nexus Vulnerability Scanner information about what Java packages are proprietary. We will use this information to identify these components in the report, which will help you focus on external components. The values in this box are compared against the Java packages of the components being evaluated. If we find a match, then the component will be flagged as proprietary. In the event you wish to enter multiple packages, separate these by a comma or hard return.

Need help to understand your report?

Please visit our Guide to the Nexus Vulnerability Scanner.

Who is Sonatype?

The Nexus Vulnerability Scanner is a free community service offered by Sonatype. We have a long history of support for the open source community as the stewards of the Central (Maven) Repository and providers of the world-leading Nexus Repository and Sonatype Lifecycle. Learn more at our website: http://www.sonatype.com