License threat - nexus not finding all libraries (AGPL)


My company utilizes Nexus Pro, and I am currently attempting to identify all libraries in our repository that pose a licensing threat. While I have managed to identify some through the “Security Vulnerability Summary,” it seems to only detect one AGPL library. I strongly believe there are more such libraries in our repository.

Security Vulnerability Summary:

com.itextpdf.tool.xmlworker != com.itextpdf.itextpdf

This leads me to thinking that something may not working as expected. Any clue what we can improve here?

Hi Krzys,

Welcome to the Sonatype community! Thanks for sharing this.

If I understand correctly, you suspect other libraries/components with AGPL licenses are not detected by the Repository health check. While I don’t have any helpful tips, I recommend contacting support to get Sonatype support to look at any data issues.

I am also curious if you would be interested in blocking AGPL-licensed libraries from entering your repositories automatically in the future and how you are dealing with these right now. Please let me know.

Mandy Singh
PM, Repository Firewall.

I think this is something your support contact should submit a support ticket about to investigate. There is a limit to the number of artifacts that Repository Health Check will evaluate (though I recall a visual warning in this case).

Hi Matthew & Mandeep

Thank you for your answers.

I’m currently trying to contact support about this issue.
I think this idea around the limit, might be correct, because I can see on the left side this 5k limit:

About the blocking AGPL licenses.
We would like to do it, currently checking different spaces: Sonarqube and Trivy to understand our options here. The idea here is to have something on the service deployment pipeline, which may block or warn engineer about the potential license threat.

Did you check the configuration of the License Threat Groups?

It could be that there are a lot of licenses unselected in your license threat groups

Ingmar those suggestions may be useful for IQ Server, however in this case the user has noticed the issue in the Nexus Repository feature Repository Health Check which doesn’t provide those controls.