sonatype-platform-browser-extension

The Sonatype Platform Browser Extension

View project on GitHub

Sonatype Platform Browser Extension

shield_gh-workflow-test shield_license Security Rating GitHub issues GitHub forks GitHub stars

Available on the Chrome Webstore Available on the Microsoft Edge Webstore

The Sonatype Platform Browser Extension supercedes the Nexus IQ Evaluation Extension, and allows Developers to get insight from the Sonatype Platform for Open Source packages as you browse Public Open Source Registries - i.e. before a package is even downloaded!

To use this extension you will need access to a licensed installation of either:

In all cases, Sonatype IQ Server versions 150 and newer have been confirmed as supported with this extension.

Contents

Format Support

Public Registries

Registry Language Enabled URL Component Version Navigation ^4
Alpine Linux Alpine Linux https://pkgs.alpinelinux.org/
Clojars Java https://clojars.org/ N/A
CocoaPods Swift / Objective-C https://cocoapods.org/
Conan IO C / C++ https://conan.io/center/
CRAN R https://cran.r-project.org
Crates.io Rust https://crates.io/
Go.dev Go ❌ ^1 https://pkg.go.dev/ N/A
Maven Central Java https://central.sonatype.com/
Maven Central (simple) Java https://repo.maven.apache.org/
Maven Central (simple) Java https://repo1.maven.org/
Maven Central (old) Java https://search.maven.org/
MVN Repository Java https://mvnrepository.com/
NPM JS Javascript https://www.npmjs.com/
NuGet Gallery .NET https://www.nuget.org/
Packagist PHP https://packagist.org/
PyPI Python ✅ ^3 https://pypi.org/
RubGems Ruby https://rubygems.org/
Spring.io Java ❌ ^2 https://repo.spring.io/list/ N/A

Notes:

  1. See issue #36
  2. Run on a public instance of jFrog Artifactory - support coming soon
  3. By default we lookup the Source Distribution. Where no Source Distribution is published we lookup the first Built Distribution - this can lead to an incomplete view of risk - read more

Private Hosted Registries

Some public registires are hosted on instances of Sonatype Nexus Repository and jFrog Artifactory. You might also have private instances.

Sonatype Nexus IQ Evaluation Extension has support for both of these types, but this has yet to be ported to this extension.

Missing or unsupported Registry?

Missing format or ecosystem? Why not raise an Issue to request?

Installation

Installation on Chrome

Visit Chrome Web Store to add to Chrome.

Installation on Microsoft Edge

Visit Microsoft Edge Web Store to add to Microsoft Edge.

Supported Languages

Yes - you read right - we have localised this extension!

Currently we have translations for:

  • English 🇦🇺 🇬🇧 🇺🇸
  • Catalan 🇪🇸 🇦🇩
  • Chinese 🇨🇳 🇸🇬 🇭🇰 🇸🇬
  • Finnish 🇫🇮
  • French 🇫🇷 🇨🇭 🇨🇦 🇲🇨 🇧🇪
  • German 🇩🇪 🇦🇹 🇨🇭
  • Greek 🇬🇷 🇨🇾
  • Korean 🇰🇷 🇨🇳
  • Portuguese 🇧🇷 🇵🇹
  • Spanish 🇪🇸 🇲🇽 🇨🇴 🇦🇷
  • Taiwanese 🇹🇼

More are coming soon.

If you’d like to contribute a translation, please check the target locale you have in mind is supported by Chromium - see this list.

Configuration

Upon successfully addition of the Sonatype Platform Browser Extension, you’ll automatically be shown the “Getting Started” screen to make the necessary configuration.

Installation Step 1

Enter the URL of your Sonatype IQ Server and click “Grant Permissions to your Sonatype IQ Server”.

Installation Step 2

Click “Allow”.

You can now enter your credentials for your Sonatype IQ Server and click “Connect”. Upon successful authentication, you’ll be provided a list of Applications you have permissions for in your Sonatype IQ Server - choose one!

Installation Step 3

That’s it - you have configured the Sonatype Platform Browser Extension. You can close the configuration tab. If you need to make changes to the configuration

Advanced Configuration

Support for Sonatype Nexus Repository

If your organisation runs one or more instances of Sonatype Nexus Repository, you can add these under Advanced Options.

Configure Sonatype Nexus Repository

NOTE: The Sonatype Nexus Repository instance must be accessible via http:// or https://

When browsing Sonatype Nexus Repository instances you have added, this extension will look to provide insight for Open Source Components for the following format repositories:

  • CocoaPods
  • Maven (Java)
  • NPM (Javascript)
  • PyPi (Python)
  • R (CRAN)
  • RubyGems

Browsing Sonatype Nexus Repository

Usage

When you browse to a website that is supported by the Sonatype Platform Browser Extension, such as Maven Central the extension will assess the component you are viewing and alert you if there are known issues.

Pinning the Extension

Extension by default are not always visible - we recommend you Pin the Sonatype Platform Browser Extension so it is easily accessible as you navigate. To do this find the “Extensions” icon in the top right of your browser (usually) as highlighed in red:

Pinning the Extension - Step 1

Then click the Pin icon as highlighted next to the Sonatype Platform Browser Extension.

Pinning the Extension - Step 2

You’ll now always have the Sonatype Platform Browser Extension icon visible in the top right.

Opening the Extension

As you browse supported registries, you’ll notice the Sonatype Platform Browser Extension change colour to warn you when your Sonatype IQ Server reports issues for the component you are viewing.

Browsing Maven Central

To get the details behind the warning, click the Sonatype Platform Browser Extension icon (top right).

Component Information

When you acess the Sonatype Platform Browser Extension, you’ll be shown the information known by Sonatype about the component you are viewing.

Component Information

Remediation Advice

Accessing the “Remediation” tab will provide easy access to recommended versions along with a timeline of all known versions and how they stack up against your organisations policies in your Sonatype IQ Server.

Remediation Information

For Open Source Registries that support navigation to specific versions, you can click on the Remediation or Version to have your browser navigate to that version easily. See this table to see which Registries we have support for this.

Policy Violation(s)

The “Policy” tab allows you to understand why your Organisational policies were violated - i.e. what caused the violations.

Policy Violation(s) Details

Known Security Issues

The “Security” tab allows you to understand what known security issues affect the component you are viewing.

Known Security Issues

Open Source License(s)

The “Legal” tab allows you to understand what open source licenses apply or might apply to the component you are viewing.

Known Security Issues

Additional Feature Support

Current and future additional features are available based on the additional capabilities provided by your Sonatype Platform license. In addition to having the correct license installed at the Sonatype IQ Server, some features require that they be enabled.

Advanced Legal Pack

Caveats

PyPi Packages with No Source Distribution

There are a few examples of projects published to PyPi (such as mediapipe) that have not published a Source Distribution.

By default, when the Sonatype Platform Browser Extension looks up data on PyPi packages, we default to looking up information based on it’s Source Distribution - this has no consideration as to your Python Version or Architecture.

When looking up data based on a Built Distribution, this can include the Python Version and/or Architecture, and this may not provide an accurate representation of the risks associated with your use of the Package if your Python Version and/or Architrecture differ from the first Build Distribution in the list.

Development

We use Node 18 and Yarn 1.22.x.

To get started developing:

  • clone the repo
  • yarn
  • yarn build

You can run yarn test as well to ensure everything is setup correctly!

All source code is in src/ and follows a fairly normal React application setup.

Uninstallation

To remove the Sonatype Platform Browser Extension, follow the instructions for your browser to remove it.

Version History

Our version history is kept in our change log.

The Fine Print

Supported by Sonatype Inc.