Sonatype Connector

Sonatype’s open source SCA tool (Nexus Lifecycle) helps organizations continuously identify risk, enforce policy, and pinpoint vulnerabilities across every phase of the Software Development Lifecycle (SDLC).

Prerequisites

  • Given that Sonatype can be deployed both in the cloud or on-premises, you must have API access.
  • You must be a Cisco Vulnerability Management administrator.

The following table highlights the deployment types and their requirements.

Deployment Method Additional Information
On-premises Virtual Tunnel
  • Must be deployed in the same network as Sonatype to allow Cisco Vulnerability Management to connect.
  • When using the Virtual Tunnel, the connector makes the API calls to Sonatype to pull data down.
Agent
  • Agent (after version 1.0.1300) supports Sonatype.
  • Agent operates as a front end for Sonatype Nexus Lifecycle. In this case, the connector does not make the API calls.
  • The Agent makes the API call and the connector processes the data (in file format) sent to the Agent.
Cloud

No special method required

  • Cloud-based Sonatype deployments do not require the Virtual Tunnel or Agent.


Configuring your Sonatype Connector in Cisco Vulnerability Management

1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Open Source section, click b.

Sonatype

4. On the Sonatype page, enter the following information:
Connector

 

  • Name: Enter a name for the connector, or leave it as Sonatype.
  • Username and Password: Enter the credentials for the account that you're using.
  • Host: Enter the Host information for your scanner. Note: When entering the host IP and port, you don't need to prefix with https://. For example, <scanhost.example.com:8080>.
  • Schedule: Select the frequency that you’d like your Connector to run. (Cisco recommends mirroring the cadence of your Scans).
  • Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Refer to Setting Asset Inactivity Limits for more information.
  • For a on-premises Sonatype deployment, select the option for Use Virtual Tunnel or Use Agent.
  • For a cloud-based Sonatype deployment, leave both boxes unchecked.

5. Click Save and Verify.
Important: There are no plans to support 2FA for connector credentials. Cisco Vulnerability Management currently supports 2FA using Duo.

Which Sonatype Items Does Cisco Vulnerability Management Import?

Sonatype Field

Cisco Vulnerability Management Field

Notes

organization name OR application name

Application identifier

Search for Application identifier in Cisco Vulnerability Management by using the custom query box and typing application:""

hash

EC2

 

source_asset_id

External ID

 

N/A

Vulnerability Status

Vulnerability status is Open or Closed. We do not map False Positives or Triage States. Open vulnerabilities are reported in application scan reports. Closed vulns are no longer present in these reports and Cisco Vulnerability Management will autoclose the vulnerability.

Reference

Vulnerability Name

 

severity

scanner_score

 1-10

source_vuln id

unique_identifier on the vulnerability

 

source > cves

CVE

(securityData +securityIssues)

securityData + securityIssues w/o CVE data

Vulnerability (non-CVE)

These information items are imported, despite the lack of CVE information associated with the identified weakness

pathnames

Details

 

evaluationDate

Last Seen

 

application_name
Source Asset Tags

Tags

These items are turned into Tags in Cisco Vulnerability Management

 

What API Calls Are Involved?

The API endpoints that Cisco Vulnerability Management leverages are:

  • api/v2/applications API Endpoint
  • a list of reports for each application from the api/v2/reports/applications/<application_id> API endpoint
  • reportDataUrl
  • api/v2/organizations

Optional Settings

The following settings can be enabled on the back end for Sonatype Connectors. To have these settings enabled, or for more information, contact your Customer Experience (CX) team.

Application ID Field

When you enable this option you can override the field used for the application identifier from a list of supported options.
For example: Sonatype: [“application_name”, “organization_name”] rather than default "application_name"

Exclude Informationals

When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.

Skip Tags

This setting enables you to not create any Tags in Cisco Vulnerability Management based on the Sonatype metadata.

Ignore Scanner Last Seen Time

Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.

Tag Reset

This setting assists you with keeping your scanner metadata synchronized with Cisco Vulnerability Management. Each time the connector is run, all tags in Cisco Vulnerability Management will be removed and the scanner tag metadata re-created.

If you have created any manual tags or any tags were created from metadata from other connectors, that tag information will be removed and will be refreshed once those other connectors are rerun.

Custom Ordered Locators

Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.

Common Reasons for Sonatype Connector Run Failures

  • Bad Credentials. If you enter the incorrect connector credentials during the connector setup, Cisco Vulnerability Management will not have access to the environment to make the API calls.
  • If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright.
  • If an API call fails (no data available, or other reasons).
  • If Cisco Vulnerability Management receives data that is not in the expected format and cannot process it, the connector will fail.
  • If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector run.

Additional Assistance

Contact Cisco Support if you require any additional assistance with the Sonatype Connector.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.