Hello all,
My organisation has a Sonatype Nexus Repository Manager PRO 3.29.2-02 instance. As the fresh starting Application Security engineer for the organisation, I am trying to get a sense of how good (or how bad) the 3rd party libraries we rely upon are.
We are not at a maturity stage where policies can be enforced and developers’ mind changed. Therefore, it is key for me to ensure that we are have an accurate measure of the problem.
With this in mind, I thought that Nexus RPM could give us this data via the Health Checker. In order to verify that the Health Check report is accurate, I did the following:
- Obtained an old(ish) NPM project;
- Install its dependencies;
- Run the
npm auditand count the findings.
Then:
- Configure the NPM proxy and group on Nexus Repo Manager;
- Re-clone my NPM project;
- Define a
.npmrcto use Nexus as the proxy; - Wait for the health check to complete and count the findings.
For reference, my local npm audit using version 6.14.12 found a total of 17 issues. Much to my surprise (and disappointment) the Nexus Health Checker only identified 2 issues. What is most baffling is that the report states that only 50% of the packages were scanned. There is no explanation why that is and/or to fix it. For all I know, this lack of coverage is the root cause of the incorrect results.
In my view, this is an unacceptable discrepancy. I am creating this entry today in order to figure out what is possibly wrong here. As I am not allowed to attach files, here are extracts from our logs, showing that Health Check is running without errors.
2021-05-18 10:51:07,459+0000 INFO [quartz-9-thread-12] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'System - Repository Health Check: npm' [healthcheck] state change WAITING -> RUNNING
2021-05-18 10:51:07,718+0000 WARN [quartz-9-thread-12] *SYSTEM com.sonatype.insight.scan.client.ClientScanner - Could not locate client info descriptor
2021-05-18 10:51:08,191+0000 INFO [quartz-9-thread-12] *SYSTEM org.sonatype.nexus.scheduling.TaskSchedulerImpl - Task 'System - Repository Health Check: npm' [healthcheck] scheduled: hourly
2021-05-18 10:51:08,192+0000 INFO [quartz-9-thread-12] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'System - Repository Health Check: npm' [healthcheck] state change RUNNING -> WAITING (OK)
2021-05-18 10:51:18,187+0000 INFO [quartz-9-thread-12] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'System - Repository Health Check: npm' [healthcheck] state change WAITING -> RUNNING
2021-05-18 10:51:23,544+0000 INFO [quartz-9-thread-12] *SYSTEM com.sonatype.nexus.plugins.healthcheck.task.HealthCheckTask - Received health check report for repository npm
2021-05-18 10:51:23,549+0000 INFO [quartz-9-thread-12] *SYSTEM org.sonatype.nexus.scheduling.TaskSchedulerImpl - Task 'System - Repository Health Check: npm' [healthcheck] scheduled: hourly
2021-05-18 10:51:23,550+0000 INFO [quartz-9-thread-12] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'System - Repository Health Check: npm' [healthcheck] state change RUNNING -> WAITING (OK)
Finally, I would like to stress that this ticket is NOT about having Nexus support npm audit for developers when using Nexus without the Firewall or IQ. I am aware there is a ticket for that already here:
My assertion is that if I am to recommend developers to use Nexus, then the Health Checker must be as accurate as dependency-check or npm audit or equivalent for your tool of choice. If it is not meant to be, please point me to the resource/documentation or otherwise that justify/explain the differences. If they are supposed to match, then please let me know what configuration is missing/incorrect.
Thank you for reading.