About
Sonatype Nexus IQ delivers developer-first code quality analysis, automatically enforces open source security policies, blocks bad component downloads, and prioritizes remediation. When integrated with your Vulcan Platform, you'll be able to review Code Project vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability, automation, and remediation.
Prerequisites
Supported version: lifecycle release 104 and above
Network connectivity: If your Sonatype platform is installed on a local network and isn't accessible externally, you may need to connect using the Vulcan Gateway, read here how to configure.
User Permissions: to integrate with Vulcan, you need a user with permissions to view IQ Elements and assign access to desired organizations and applications.
User Token: Generate a user token in your Sonatype platform and copy the user code and passcode to use in the next step.
Configure the Sontype Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Sonatype icon.
Insert the required information:
Server URL - Example: https://myserver:8080/
API User Token Credentials - Copy-paste the User Token credentials you obtained in the previous step.
Note: If your Sonatype platform is installed on a local network and isn't accessible externally, you may need to connect using the Vulcan Gateway, read here how to configure.
Inactive Assets - In this example, the default value of 30 days is used. To remove inactive assets quicker or keep them longer, as seen by Vulcan, change this value to suit your needs.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Sonatype instance, then click Create (or Save Changes).
Allow some time for the sync to complete. You can review the sync status under Log.
To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the Sonatype icon shows Connected, the connection is complete.
From Sonatype to the Vulcan Platform - Fields Mapping
Vulnerabilities Mapping
Sonatype Field | Vulcan Field |
mainSeverity score | CVSS score |
recommendationMarkdown | Solution |
weakness cweIds id | CWE |
Description | Description |
Assets Mapping
Sonatype Field | Vulcan Field |
App ID | App ID |
Public ID | Public ID |
Name | App name |
Application tags | Tags |
Vulnerability Status
Sonatype Field | Vulcan Field |
Open | Vulnerable |
Acknowledged Risk Acknowledged | Acknowledged |
False Positive Not Applicable | Not Applicable |
Vulnerable Confirmed issue | Vulnerable |
Locate Sonatype vulnerabilities in the Vulcan Platform
As SonaType discovers vulnerabilities, the Vulcan Cyber connector will import those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities page. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate Sonatype on the vulnerability source list and click to filter results.
Click on any vulnerability to view further information.
Locate Sonatype assets in the Vulcan Platform
To quickly locate all synced Cloud Resources assets from Sonatype, Go to the Assets tab in Vulcan Cyber.
Open the Vulcan Cyber dashboard and navigate to Assets > Code Projects tab.
Click on the Search or filter websites input box and select Connector from the drop-down selection.
Locate the Sonatype option to view all synced assets.
Automate SonaType remediation actions
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the SonaType connector.
Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.
First, give your automation playbook a name, here the name given is, "Assign Critical SonaType Vulnerabilities to Email".
Choose SonaType for the source of vulnerabilities and add the risk is critical vulnerability condition, leaving the rest as defaults.
Click on the Assign via Email button as the Remediate Action.
Choose how the separation of tickets is handled, here up to 200 vulnerabilities are aggregated into a single email. Then add the recipient emails to be notified.
Leave all other steps as default or modify if needed, and click on Save and Run.