As we are going through audit process for Nexus repository manager application(Version: OSS 3.40.1-01), Auditors wants to know how security for the Nexus application is managed.
Does the Nexus application code is scanned periodically.
Which Code Scanning tools are used for this purpose.
How do the team ensure code vulnerabilities are mitigated for Nexus application?
Sonatype evaluates all of the products we create using Nexus Lifecycle. We follow Sonatype Customer Success best practices for managing Software Composition Analysis (SCA) risk.
Nexus Repository Manager OSS and Pro are internally both part of the same project and are managed equally.
Each project also uses GitHub - sonatype/codestyle: The Sonatype Code Style Guide to apply static analysis and linting configuration. Hope this helps!