Spdx.org used in Nexus IQ extension for Azure DevOps version 1.7.5

Question for the Sonatype team:

Since version 1.7.5 of the Sonatype extension called “Nexus IQ for Azure DevOps” (Nexus IQ for Azure DevOps - Visual Studio Marketplace) a call is done to spdx.org to check on some license information.

This means companies with strickt network rules in Azure DevOps (which prevent accessing the internet from Azure DevOps directly) need to whitelist spdx.org or else the stage for Nexus IQ will fail.

Why has the change been done to reach out to this domain via the extension? Companies now need to whitelist this domain, while the domain is not vetted by companies themselves, opening up their Azure DevOps domain to access resources on an unvetted internet page.

Of course spdx.org is maintained by the Linux Foundation, but still this causes some headache internally, as companies either need to urgently whitelist spdx.org or roll back and pin their Azure DevOps pipeline templates to version 1,7.3 of the extension (which corresponds to Nexus IQ version 164 if i am correct.)

@jwhitehouse i tagged you just to see if this is something you are aware of.

Furthermore, what data is exactly exchanged with spdx.org?

Hey @ingmar.vis! Thank you for your question. I spoke to our Integrations team about this and I’ll do my best to summarize their response.

The reason the IQ Azure DevOps extension tries to access spdx.org is to validate that the license IDs present in the input file are valid SPDX licenses. The extension has a cache of valid license IDs internally, but it tries to keep it up to date by fetching the latest data from spdx.org. So if it cannot access spdx.org, it just logs that fact for information purposes and it should continue working based on the internal cache. In other words, if you do not whitelist spdx.org, the pipeline should not fail. When spdx.org is reachable, the extension pulls only license info data (in JSON format.)

If you experience pipeline failures, the recommendation is to open a ticket with our Support team so we can take a closer look and investigate further.

I hope this helps a bit but let me know if you have further questions/concerns.