Sonatype Nexus IQ
Sonatype Nexus IQ is an application security tool that scans your applications and components to identify policy violations and security vulnerabilities. You can bring application, component, policy violation, remediation, and security issue data from Sonatype Nexus IQ into Brinqa to construct a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Sonatype Nexus IQ and how to obtain that information from Sonatype. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Sonatype Nexus IQ from the Connector drop-down. You must provide the following information to authenticate Sonatype Nexus IQ with Brinqa:
-
Nexus server: Your organization's Nexus server URL. The default format is
https://<ServerName>/. -
Username and Password: The username and password associated with the Sonatype Nexus IQ user account, which must have permissions to access the Sonatype API and return data.
infoThe Sonatype Nexus IQ user must have the View IQ Elements permission to access and retrieve data from the Sonatype Nexus IQ API. For additional information, see Sonatype documentation.
Additional settings
The Sonatype Nexus IQ connector contains an additional option for specific configuration:
- Skip certificate verification: Select this option to allow for untrusted certificates.
Types of data to retrieve
The Sonatype Nexus IQ connector can retrieve the following types of data from the Sonatype Nexus IQ REST API:
Table 1: Data retrieved from Sonatype Nexus IQ
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | Yes | Application |
| Component | Yes | Package |
| Policy Violation | Yes | Violation |
| Policy Violation Definition | Yes | Violation Definition |
| Remediation | Yes | Solution |
| Security Issue | Yes | Vulnerability |
| Security Issue Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from Sonatype Nexus IQ in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Application
Table 2: Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CONTACT | Local variable |
| NAME | name |
| ORGANIZATION_ID | Local variable |
| PUBLIC_ID | Local variable |
| SYS_ID | uid |
Component
Table 3: Component attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATIONS | targets |
| ARTIFACT_ID | Local variable |
| CLASSIFIER | Local variable |
| COORDINATES | Local variable |
| DECLARED_LICENSES | Local variable |
| EXT | Local variable |
| FILE_NAME | fileName |
| FILE_PATHS | Local variable |
| FORMAT | Local variable |
| GROUP_ID | Local variable |
| NAME | name |
| OBSERVED_LICENSES | Local variable |
| SECURITY_ISSUES | Local variable |
| SYS_ID | uid |
| VERSION | current version |
Policy Violation
Table 4: Policy Violation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATION_ID | appId, targets |
| APPLICATION_NAME | targets |
| COMPONENT_ID | Local variable |
| COMPONENT_NAME | Local variable |
| CONSTRAINT | Local variable |
| POLICY_ID | type |
| REASONS | Local variable |
| REPORT_URL | Local variable |
| STAGE | Local variable |
| THREAT_LEVEL | Local variable |
| UID | uid |
Policy Violation Definition
Table 5: Policy Violation Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| COMPONENT_ID | Local variable |
| COMPONENT_NAME | Local variable |
| CONSTRAINT | Local variable |
| POLICY_ID | uid |
| POLICY_NAME | name |
| POLICY_TYPE | category |
| REASONS | Local variable |
| REPORT_URL | Local variable |
| STAGE | Local variable |
| THREAT_LEVEL | Local variable |
Remediation
Table 6: Remediation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| COMPONENT_ID | Local variable |
| SYS_ID | uid |
| VERSION_CHANGES | Local variable |
Security Issue
Table 7: Security Issue attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATION_ID | AppId, targets |
| COMPONENT_ID | targets |
| COMPONENT_NAME(component) | Local variable |
| REF | type |
| SOURCE | Local variable |
| STAGE(report) | Local variable |
| STATUS | status(normalized), sourceStatus, statusCategory |
| SYS_ID | uid |
Security Issue Definition
Table 8: Security Issue Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| COMPONENT_NAME(component) | Local variable |
| REF | references |
| SEVERITY | severity, severityScore, sourceSeverity |
| SOURCE | Local variable |
| STAGE(report) | Local variable |
| THREAT_CATEGORY | Local variable |
| URL | url |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Sonatype Nexus IQ connector supports the following operation options. See connector operation options for information about how to apply them.
Table 9: Sonatype Nexus IQ connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Component, Remediation, Security Issue | applicationId | Any Sonatype Nexus IQ application ID | A comma-separated list of application IDs. Return only the data with the specified application IDs. | Key: applicationId Value: c1a0586b13,b2b0526b23. This key and value combination only retrieves data with the specified application IDs. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Sonatype Nexus IQ connector uses the Sonatype REST API v2. Specifically, it uses the following endpoints:
Table 10: Sonatype Nexus IQ REST API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Application | GET /api/v2/applications |
| Component | GET /api/v2/reports/applications/{applicationId} |
GET /api/v2/reports/applications/{reportDataUrl} | |
| Policy Violation, Policy Violation Definition | GET /api/v2/policies |
GET /api/v2/policyViolations | |
| Remediation | GET /api/v2/reports/applications/{applicationId} |
GET /api/v2/reports/applications/{reportDataUrl} | |
| Security Issue, Security Issue Definition | GET /api/v2/reports/applications/{applicationId} |
GET /api/v2/reports/applications/{reportDataUrl} |
Changelog
The Sonatype Nexus IQ connector has undergone the following changes:
3.0.0
- Initial Integration+ release.