How to Identify which packages have vulnerabilities in Nexus 3 OSS

Hi, Im hoping someone can offer some guidance here. We have Sonatype Nexus 3 Repository Manager (OSS version).

We have the public PyPi repos proxied in such a way that we have a “production” repo, and a “staging” repo, the thinking was that requests to add new packages to the “production” repo would first be added to “staging” so we can let the package scanner run and inform the decision as to whether we should allow it. All in order to help gives us better visibility and mitigate the risk in our supply chain.

Now where this falls down is, we can obviously see how many issues were found, but for the life of me I can’t find a way to view which individual packages are responsible for that issue.

Is there anyway at all to see it? Or is the only answer to pay for the Nexus Firewall?

Thanks

If you’re referring to Repository Health Check, then with a Nexus Repository Pro license you’re able to see the details of the report. Alternatively with Nexus Firewall you’re also able to prevent components from being proxied based on policy.

Generally it sounds like you may be trying to build a golden repository, but we’d suggest that will create developer friction and delay by forcing them to jump through hoops to get components approved.