Sonatype Connector

Sonatype’s open source SCA tool (Nexus Lifecycle) helps organizations continuously identify risk, enforce policy, and pinpoint vulnerabilities across every phase of the SDLC.

User Prerequisites/Connector Setup:

Given that Sonatype can be deployed both in the cloud or on-premise, you must:

  • have API access
  • be a Cisco Vulnerability Management Administrator to configure the connector.

The following table highlights the deployment types and their requirements.

Deployment Method Additional Information
On-premise Kenna Virtual Tunnel
  • Must be deployed in the same network as Sonatype to allow Cisco Vulnerability Management to connect.
  • When using the Virtual Tunnel, the connector makes the API calls to Sonatype to pull data down.
Kenna Agent
  • Kenna Agent (after version 1.0.1300) supports Sonatype.
  • Kenna Agent operates as a front end for Sonatype Nexus Lifecycle. In this case, the connector does not make the API calls.
  • The Kenna Agent makes the API call and the connector processes the data (in file format) sent to the Kenna Agent.

No special method required

  • Cloud-based Sonatype deployments do not require the Virtual Tunnel or Kenna Agent.

Configuring your Sonatype Connector in Cisco Vulnerability Management

To import your data from Sonatype to the Kenna.AppSec module, you need to leverage the Sonatype Connector.

Navigate to the Open Source section in the Connectors tab in your Cisco Vulnerability Management deployment and select Sonatype.


In the new screen that displays, complete the following fields:

  • Enter a name for the connector or you can leave the default name - Sonatype, if you wish.
  • Enter your Sonatype Username and Password.
  • Enter the Host information for your scanner.

Note: When entering the host IP and port, there is no need to prefix with https:// as it is not required. The example presented is <>.

  • Select the frequency that you want to run your Sonatype Connector

Tip: It is recommended you run it in conjunction with how often you run the Sonatype scan(s).

  • For on-premise Sonatype deployment, check the box for Use Kenna Virtual Tunnel or Use Kenna Agent.
  • For cloud-based Sonatype deployment, leave both boxes unchecked.
  • Click Save and Verify.
  • If you would like to set a connector-level asset inactivity limit, you can do that at this time, or later. Refer to Setting Asset Inactivity Limits for more information.

Important: There are no plans to support 2FA for connector credentials. The Cisco Vulnerability Management platform itself currently supports 2FA using Duo.


Which Sonatype Items Does Cisco Vulnerability Management Import?

Sonatype Field

Cisco Vulnerability Management Field


organization name OR application name

Application identifier

Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:""





External ID



Vulnerability Status

 Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will autoclose the vulnerability.


Vulnerability Name





source_vuln id

unique_identifier on the vulnerability


source > cves


(securityData +securityIssues)

securityData + securityIssues w/o CVE data

Vulnerability (non-CVE)

These information items are imported, despite the lack of CVE information associated with the identified weakness





Last Seen


Source Asset Tags


These items are turned into Tags in Cisco Vulnerability Management


What API Calls Are Involved?

The API endpoints we leverage are:

  • api/v2/applications API Endpoint
  • a list of reports for each application from the api/v2/reports/applications/<application_id> API endpoint
  • reportDataUrl
  • api/v2/organizations

Optional Settings

The following settings can be enabled on the back end for Sonatype Connectors.

Important: To have these settings enabled, or for more information, contact your Customer Experience (CX) Team.

  • Application ID Field
    • Override the field used for the application identifier from a list of supported options.
      • For example: Sonatype: [“application_name”, “organization_name”] rather than default "application_name"
  • Exclude Informationals
    • When this option is enabled, Cisco Vulnerability Management does not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
  • Skip Tags
    • This setting allows you to NOT create any tags within Cisco Vulnerability Management based on the Sonatype metadata.
  • Ignore Scanner Last Seen Time
    • If you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
  • Tag Reset
    • This setting assists in keeping your Sonatype metadata in sync with Cisco Vulnerability Management. Each time the connector is run, ALL tags within Cisco Vulnerability Management are removed and the Sonatype tag metadata is re-created.
    • If you have created any manual tags OR any tags were created off of metadata from other connectors, that tag info is removed and is refreshed once those other connectors are rerun.
  • Custom Ordered Locators
    • Locators (IP, Netbios, FQDN, etc) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, refer to this help article.

Common Reasons for Sonatype Connector Run Failures

  • Bad Credentials
    • If you enter the incorrect connector credentials during the connector setup, we will not have access to the Sonatype environment to make the API calls.
  • If an API call fails (no data available, or other reasons)
  • Unexpected data returned
    • If Cisco Vulnerability Management receives data that is not in the expected format and we are unable to process it, the connector will fail.
  • If more than 1% of connector payloads fail to import as expected, we will auto-fail the Connector Run.

Additional Assistance:

Please contact Support should you require any additional assistance with the Sonatype Connector.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.