The Sonatype Platform Browser Extension supercedes the Nexus IQ Evaluation Extension, and allows Developers to get insight from the Sonatype Platform for Open Source packages as you browse Public Open Source Registries - i.e. before a package is even downloaded!
To use this extension you will need access to a licensed installation of either:
- Sonatype Lifecycle
- A license with Advanced Legal Pack provides additional license information
- Sonatype Repository Firewall
In all cases, Sonatype IQ Server versions 150 and newer have been confirmed as supported with this extension.
Contents
- Format Support
- Installation
- Supported Languages
- Configuration
- Advanced Configuration
- Usage
- Additional Feature Support
- Caveats
- Development
- Uninstallation
- Version History
- The Fine Print
| Registry | Language | Enabled | URL | Component Version Navigation ^4 |
|---|---|---|---|---|
| Alpine Linux | Alpine Linux | โ | https://pkgs.alpinelinux.org/ |
โ |
| Clojars | Java | โ | https://clojars.org/ |
N/A |
| CocoaPods | Swift / Objective-C | โ | https://cocoapods.org/ |
โ |
| Conan IO | C / C++ | โ | https://conan.io/center/ |
โ |
| CRAN | R | โ | https://cran.r-project.org |
โ |
| Crates.io | Rust | โ | https://crates.io/ |
โ |
| Go.dev | Go | โ ^1 | https://pkg.go.dev/ |
N/A |
| Maven Central | Java | โ | https://central.sonatype.com/ |
โ |
| Maven Central (simple) | Java | โ | https://repo.maven.apache.org/ |
โ |
| Maven Central (simple) | Java | โ | https://repo1.maven.org/ |
โ |
| Maven Central (old) | Java | โ | https://search.maven.org/ |
โ |
| MVN Repository | Java | โ | https://mvnrepository.com/ |
โ |
| NPM JS | Javascript | โ | https://www.npmjs.com/ |
โ |
| NuGet Gallery | .NET | โ | https://www.nuget.org/ |
โ |
| Packagist | PHP | โ | https://packagist.org/ |
โ |
| PyPI | Python | โ ^3 | https://pypi.org/ |
โ |
| RubGems | Ruby | โ | https://rubygems.org/ |
โ |
| Spring.io | Java | โ ^2 | https://repo.spring.io/list/ |
N/A |
Notes:
- See issue #36
- Run on a public instance of jFrog Artifactory - support coming soon
- By default we lookup the Source Distribution. Where no Source Distribution is published we lookup the first Built Distribution - this can lead to an incomplete view of risk - read more
Some public registires are hosted on instances of Sonatype Nexus Repository and jFrog Artifactory. You might also have private instances.
Sonatype Nexus IQ Evaluation Extension has support for both of these types, but this has yet to be ported to this extension.
Missing format or ecosystem? Why not raise an Issue to request?
Visit Chrome Web Store to add to Chrome.
Visit Microsoft Edge Web Store to add to Microsoft Edge.
Yes - you read right - we have localised this extension!
Currently we have translations for:
- English ๐ฆ๐บ ๐ฌ๐ง ๐บ๐ธ
- Catalan ๐ช๐ธ ๐ฆ๐ฉ
- Chinese ๐จ๐ณ ๐ธ๐ฌ ๐ญ๐ฐ ๐ธ๐ฌ
- Finnish ๐ซ๐ฎ
- French ๐ซ๐ท ๐จ๐ญ ๐จ๐ฆ ๐ฒ๐จ ๐ง๐ช
- German ๐ฉ๐ช ๐ฆ๐น ๐จ๐ญ
- Greek ๐ฌ๐ท ๐จ๐พ
- Korean ๐ฐ๐ท ๐จ๐ณ
- Portuguese ๐ง๐ท ๐ต๐น
- Spanish ๐ช๐ธ ๐ฒ๐ฝ ๐จ๐ด ๐ฆ๐ท
- Taiwanese ๐น๐ผ
More are coming soon.
If you'd like to contribute a translation, please check the target locale you have in mind is supported by Chromium - see this list.
Upon successfully addition of the Sonatype Platform Browser Extension, you'll automatically be shown the "Getting Started" screen to make the necessary configuration.
Enter the URL of your Sonatype IQ Server and click "Grant Permissions to your Sonatype IQ Server".
Click "Allow".
You can now enter your credentials for your Sonatype IQ Server and click "Connect". Upon successful authentication, you'll be provided a list of Applications you have permissions for in your Sonatype IQ Server - choose one!
That's it - you have configured the Sonatype Platform Browser Extension. You can close the configuration tab. If you need to make changes to the configuration
If your organisation runs one or more instances of Sonatype Nexus Repository, you can add these under Advanced Options.
NOTE: The Sonatype Nexus Repository instance must be accessible via
http://orhttps://
When browsing Sonatype Nexus Repository instances you have added, this extension will look to provide insight for Open Source Components for the following format repositories:
- CocoaPods
- Maven (Java)
- NPM (Javascript)
- PyPi (Python)
- R (CRAN)
- RubyGems
When you browse to a website that is supported by the Sonatype Platform Browser Extension, such as Maven Central the extension will assess the component you are viewing and alert you if there are known issues.
Extension by default are not always visible - we recommend you Pin the Sonatype Platform Browser Extension so it is easily accessible as you navigate. To do this find the "Extensions" icon in the top right of your browser (usually) as highlighed in red:
Then click the Pin icon as highlighted next to the Sonatype Platform Browser Extension.
You'll now always have the Sonatype Platform Browser Extension icon visible in the top right.
As you browse supported registries, you'll notice the Sonatype Platform Browser Extension change colour to warn you when your Sonatype IQ Server reports issues for the component you are viewing.
To get the details behind the warning, click the Sonatype Platform Browser Extension icon (top right).
When you acess the Sonatype Platform Browser Extension, you'll be shown the information known by Sonatype about the component you are viewing.
Accessing the "Remediation" tab will provide easy access to recommended versions along with a timeline of all known versions and how they stack up against your organisations policies in your Sonatype IQ Server.
For Open Source Registries that support navigation to specific versions, you can click on the Remediation or Version to have your browser navigate to that version easily. See this table to see which Registries we have support for this.
The "Policy" tab allows you to understand why your Organisational policies were violated - i.e. what caused the violations.
The "Security" tab allows you to understand what known security issues affect the component you are viewing.
The "Legal" tab allows you to understand what open source licenses apply or might apply to the component you are viewing.
Current and future additional features are available based on the additional capabilities provided by your Sonatype Platform license. In addition to having the correct license installed at the Sonatype IQ Server, some features require that they be enabled.
- Extended Observed License Detections - When enabled, the browser extenstion shows the observed licenses detected for that component.
There are a few examples of projects published to PyPi (such as mediapipe) that have not published a Source Distribution.
By default, when the Sonatype Platform Browser Extension looks up data on PyPi packages, we default to looking up information based on it's Source Distribution - this has no consideration as to your Python Version or Architecture.
When looking up data based on a Built Distribution, this can include the Python Version and/or Architecture, and this may not provide an accurate representation of the risks associated with your use of the Package if your Python Version and/or Architrecture differ from the first Build Distribution in the list.
We use Node 18 and Yarn 1.22.x.
To get started developing:
- clone the repo
yarnyarn build
You can run yarn test as well to ensure everything is setup correctly!
All source code is in src/ and follows a fairly normal React application setup.
To remove the Sonatype Platform Browser Extension, follow the instructions for your browser to remove it.
Our version history is kept in our change log.
Supported by Sonatype Inc.
