Securing Applications from Vulnerabilities Using Nexus

Posted by Pooja Chandola

Developers need certain libraries/frameworks in their projects most of which can be downloaded from Maven Central. If, however, any file is absent from the central repository, developers have to fetch it from other sources over the internet. As we know, the internet is full of malicious and corrupted files and downloading such a file may put the entire project at risk of being compromised.

To avoid such instances, we can set up a Maven proxy to Nexus. Since the repository is maintained internally, all the dependencies in the repository are verified and secured. The dependencies are thus, downloaded only once and served locally. If a dependency is missing from the local repository, the team of security and technical architects download a verified copy of that dependency and add it into Nexus, which is then available for use by the developers.

Nexus OSS

Nexus is a repository manager. It allows developers to proxy, collect, and manage their dependencies, saving them from juggling between collections of JARs. It also makes it easy to distribute software. Developers can configure their builds to publish artifacts to Nexus, making them available for other developers and gaining the benefit of having own ‘central’.

Steps to use Nexus as Maven Repository Manager

  1. Add Nexus repository as a mirror in Maven settings to configure Maven to consult Nexus instead of the central Maven repository.
  2. Add Nexus server authentication information to establish a connection between Maven and Nexus.
  3. Configure xml to deploy artifacts to Nexus OSS.
  4. Configure pom.xml to download artifacts from Nexus OSS as project dependencies.

Detailed Steps

Adding Mirror Settings

Add the mirror settings to ~/.m2/settings.xml file. After configuring Nexus to be the mirror for all repositories, Maven will consult the local installation of Nexus instead of central Maven repository. If Nexus contains the requested artifact, it is served from the local Nexus installation; else, Nexus will retrieve it from the remote repository and then add it to the local mirror of that remote repository.

Adding Nexus Server Authentication Information

Define the credentials of the server in the global Maven settings.xml.

Downloading Artifact from Nexus Repository

The maven dependency plugin offers the ability to manipulate artifacts. Developers can thus, copy and unpack artifacts from local or remote repositories to a specified location. While copying the artifacts, it is imperative that the “copy” goals are executed in pom.xml.

  • Add and configure Maven dependency plugin.

Artifacts are resolved from the following sources in order:

  1. The current reactor
  2. The local repository
  3. The configured remote repositories
  • Configure the remote repository via the repository element.

  • Run “mvn clean package” to execute pom.xml. The artifact will be downloaded in the specified directory.

Deploying Artifacts to Nexus Repository

Files, JARs or others, can be deployed using the “deploy-file” goal on the Maven deploy plugin in pom.xml.

  • Configure the Maven deploy plugin. Disable the “default-deploy” goal and add an execution for “deploy-file” goal.

  • Define the repository information where the packaged artifacts will be deployed, via the ‘distributionManagement’ element.

  • Run “mvn clean deploy” to execute pom.xml. The artifacts will be deployed to the specified repository.

Integrating Jenkins With Nexus

Nexus Platform Plugin for Jenkins is a plugin that integrates via Jenkins Pipeline or Project steps with Sonatype Nexus Repository Manager and Sonatype Nexus IQ Server.

1. Go to Manage Jenkins and navigate to Manage Plugins.

2. Install the Nexus Platform Plugin.

The available step names for the plugin include:

  • Invoke Nexus Policy Evaluation
  • Nexus Repository Manager Publisher
  • Associate Tag (Nexus Repository Manager 3.x)
  • Create Tag (Nexus Repository Manager 3.x)
  • Move Components (Nexus Repository Manager 3.x)
  • Delete Components (Nexus Repository Manager 3.x)

3. Go to Manage Jenkins and navigate to Configure System.

4. In the Sonatype Nexus section, select Nexus Repository Manager Server and configure the Nexus server.

Uploading Artifacts to Nexus via Jenkins Pipeline

  1. Create a new Jenkins Pipeline.
  • In the Pipeline section of a Pipeline project configuration screen, click the Pipeline Syntax link to open the Snippet Generator.
  • In the Steps section of the Snippet Generator window, select ‘Nexus Repository Manager Publisher’ step.
  • After filling in the step field values, copy the generated snippet into the pipeline script.

2. Save and build the pipeline. The artifact will be deployed to the specified repository.

Creating a central repository of dependencies can go a long way in securing the application from vulnerabilities. Nexus brings with it a plethora of added features that only simplify the process of building the central repository and makes it more profound.

Try building a repository in your organization and share your experience with us in the comments below.

That is all from us. Until next time!


Related Posts

  • Jenkins v/s Bamboo: Comparing the Two Most Commonly Used CI/CD ToolsJenkins v/s Bamboo: Comparing the Two Most Commonly Used CI/CD Tools

    Bamboo and Jenkins are two of the most popular continuous integration (CI) tools, with a similar philosophy of agile development. They help transform the otherwise tedious, textbook task of building,…

  • Continuous Deployment using Dockerized ApplicationContinuous Deployment using Dockerized Application

    Dockerized Applications Dockerized applications are applications that are packed into a Docker image and stored on a Docker repository. These Docker images are used to provision applications along with the…

  • DevOps: In a NutshellDevOps: In a Nutshell

    DevOps is quite a buzzword nowadays. Organizations have formulated a definition for it and have implemented it accordingly. With a perspective of their own, organizations tend to think they have…

  • DevOps is more than DEV + OPSDevOps is more than DEV + OPS

    Initially, when I heard about DevOps around 5 years back, I understood that we were trying to remove barriers between teams, which were created based on phases in traditional development…

  • HDFS on Mesos Installation

    HDFS on Mesos Installation Mesos cluster optimize the resources and bring the whole data-center at one platform where all the resources can be managed efficiently. Setting up mesos cluster with…

  • Understanding Teradata Wallet

    Teradata Wallet is a facility for storage of sensitive/secret information, such as Teradata Database user passwords. Users are able to save and retrieve items by using this facility. Teradata wallet…

Leave a Reply

Your email address will not be published. Required fields are marked *