Sonatype Nexus IQ
Sonatype Nexus IQ is an application security tool that scans your applications and components to identify policy violations and security vulnerabilities. You can bring application, component, policy violation, remediation, and security issue data from Sonatype Nexus IQ into Brinqa to construct a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Sonatype Nexus IQ and how to obtain that information from Sonatype. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Sonatype Nexus IQ from the Connector drop-down. You must provide the following information to authenticate Sonatype Nexus IQ with Brinqa:
-
Nexus server: Your organization's Nexus server URL. The default format is
https://<ServerName>/. -
Username and Password: The username and password associated with the Sonatype Nexus IQ user account, which must have permissions to access the Sonatype API and return data.
infoThe Sonatype Nexus IQ user must have the View IQ Elements permission to access and retrieve data from the Sonatype Nexus IQ API. For additional information, see Sonatype documentation.
Additional settings
The Sonatype Nexus IQ connector contains an additional option for specific configuration:
-
Skip certificate verification: Select this option to allow for untrusted certificates.
-
If enabled, missing or purged scan reports will be skipped: Select this option to allow the connector to skip missing or purged scan reports without failing. A warning is logged to assist with troubleshooting.
Types of data to retrieve
The Sonatype Nexus IQ connector can retrieve the following types of data from the Sonatype Nexus IQ REST API:
Table 1: Data retrieved from Sonatype Nexus IQ
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | Yes | Application |
| Component | Yes | Package |
| Policy Violation | Yes | Violation |
| Policy Violation Definition | Yes | Violation Definition |
| Remediation | Yes | Solution |
| Security Issue | Yes | Vulnerability |
| Security Issue Definition | Yes | Vulnerability Definition |
For detailed steps on how to view the data retrieved from Sonatype Nexus IQ in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Application
Table 2: Application attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| CONTACT | Local variable |
| NAME | name |
| ORGANIZATION_ID | Local variable |
| PUBLIC_ID | Local variable |
| SYS_ID | uid |
Component
Table 3: Component attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATIONS | targets |
| ARTIFACT_ID | Local variable |
| CLASSIFIER | Local variable |
| COORDINATES | Local variable |
| DECLARED_LICENSES | Local variable |
| EXT | Local variable |
| FILE_NAME | fileName |
| FILE_PATHS | Local variable |
| FORMAT | Local variable |
| GROUP_ID | Local variable |
| NAME | name |
| OBSERVED_LICENSES | Local variable |
| SECURITY_ISSUES | Local variable |
| SYS_ID | uid |
| VERSION | current version |
Policy Violation
Table 4: Policy Violation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATION_ID | appId, targets |
| APPLICATION_NAME | targets |
| COMPONENT_ID | Local variable |
| COMPONENT_NAME | Local variable |
| CONSTRAINT | Local variable |
| POLICY_ID | type |
| REASONS | Local variable |
| REPORT_URL | Local variable |
| STAGE | Local variable |
| THREAT_LEVEL | Local variable |
| UID | uid |
Policy Violation Definition
Table 5: Policy Violation Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| COMPONENT_ID | Local variable |
| COMPONENT_NAME | Local variable |
| CONSTRAINT | Local variable |
| DESCRIPTION | description |
| POLICY_ID | uid |
| POLICY_NAME | name |
| POLICY_TYPE | category |
| REASONS | Local variable |
| RECOMMENDATION | recommendation |
| REFERENCE_ID | Local variable |
| REPORT_URL | Local variable |
| STAGE | Local variable |
| THREAT_LEVEL | Local variable |
Remediation
Table 6: Remediation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| COMPONENT_ID | Local variable |
| SYS_ID | uid |
| VERSION_CHANGES | Local variable |
Security Issue
Table 7: Security Issue attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| APPLICATION_ID | AppId, targets |
| COMPONENT_ID | targets |
| COMPONENT_NAME(component) | Local variable |
| REF | type |
| SOURCE | Local variable |
| STAGE(report) | Local variable |
| STATUS | status(normalized), sourceStatus, statusCategory |
| SYS_ID | uid |
Security Issue Definition
Table 8: Security Issue Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| COMPONENT_NAME(component) | Local variable |
| REF | references |
| SEVERITY | severity, severityScore, sourceSeverity |
| SOURCE | Local variable |
| STAGE(report) | Local variable |
| THREAT_CATEGORY | Local variable |
| URL | url |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Sonatype Nexus IQ connector supports the following operation options. See connector operation options for information about how to apply them.
Table 9: Sonatype Nexus IQ connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Component, Remediation, Security Issue | applicationId | Any Sonatype Nexus IQ application ID | A comma-separated list of application IDs. You can use this option to return only the data with the specified application IDs. | Key: applicationId Value: c1a0586b13,b2b0526b23. This key and value combination only retrieves data with the specified application IDs. |
| Policy Violation | get_vulnerability_details | true | You can use this option to retrieve the following additional policy violation attributes: DESCRIPTION, RECOMMENDATION, and REFERENCE_ID. The connector makes an additional API call when you use this operation option, which may impact performance. | Key: get_vulnerability_details Value: true. This key and value combination retrieves the additional policy violation details. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Sonatype Nexus IQ connector uses the Sonatype REST API v2. Specifically, it uses the following endpoints:
Table 10: Sonatype Nexus IQ REST API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Application | GET /api/v2/applications |
| Component | GET /api/v2/reports/applications/{applicationId} |
GET /api/v2/reports/applications/{reportDataUrl} | |
| Policy Violation | GET /api/v2/policies |
GET /api/v2/policyViolations | |
If the get_vulnerability_details operation option is used: GET api/v2/vulnerabilities/{vulnerabilityId} | |
| Policy Violation Definition | GET /api/v2/policies |
GET /api/v2/policyViolations | |
| Remediation | GET /api/v2/reports/applications/{applicationId} |
GET /api/v2/reports/applications/{reportDataUrl} | |
| Security Issue | GET /api/v2/reports/applications/{applicationId} |
GET /api/v2/reports/applications/{reportDataUrl} | |
| Security Issue Definition | GET /api/v2/reports/applications/{applicationId} |
GET /api/v2/reports/applications/{reportDataUrl} |
Changelog
The Sonatype Nexus IQ connector has undergone the following changes:
Table 11: Sonatype Nexus IQ connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.2 | Added the DESCRIPTION, RECOMMENDATION, and REFERENCE_ID attributes to the Policy Violation object. In order to retrieve these attributes, an additional API call is made, and you must use the get_vulnerability_details operation option on the Policy Violation object. If a Policy Violation does not contain a reference ID to a vulnerability, the additional API call is not made. | August 19th, 2025 |
| 3.0.1 | - Added a new additional setting to help manage how the connector handles missing or purged scan reports from Sonatype Nexus IQ. When enabled, the connector skips missing reports, continues the connector sync, and logs a warning instead of failing. | July 30th, 2025 |
| 3.0.0 | Initial Integration+ release. | July 22nd, 2024 |