Fixing Nexus IQ Issues
Nexus IQ (or Sonatype IQ) is a tool that scans open source components for vulnerabilities. Agencies will usually require TSP to review and fix components that are marked as threats/vulnerabilities.
Identifying Issues
The Nexus IQ scan report will highlight vulnerabilities from the components/dependencies scanned.
Example of vulnerabilities from Nexus IQ scan report:
Before fixing the vulnerabilities, we need to first identify the version of the dependency where the vulnerability has been fixed. Typically we can search for the CVE ID of the vulnerability. Online CVE databases should contain information on the vulnerability and the version in which it has been fixed.
Example of CVE ID:
Highlighted dependencies are likely to be transitive dependencies not directly used by the project. If this is the case, we will need to identify the dependency which is using the transitive dependency.
Identifying Transitive Dependencies
There is a useful .NET tool called Depends that can analyse a .NET Core project locally and explore the dependencies found. Use it to identify the dependencies that are using the transitive dependencies.
Fixing Issues
Once you have identified the dependencies that need to be fixed, check if the dependencies have newer versions where the vulnerabilities have been fixed.
Use nuget.org to check if a component/dependency has newer versions.
If no newer version is available, try one of the following:
- if the dependency using the transitive dependency has no newer version, try adding a direct reference to the transitive dependency and specify a newer version
- consider using a different library that is more up-to-date (consult with your lead developer before making this change)
After updating the dependencies, it is possible that the new scan results will highlight additional issues with the updated dependencies. Repeat the process of fixing the issues until all possible issues have been fixed.