Following the recent announcement of the npm package conventional-changelog having a malicious version uploaded (read more in Brian's blog post), I wanted to write a quick tutorial on how customers using Sonatype Lifecycle tool can quickly search for a specific component across all the applications they have previously scanned.
When a bad component like the version of conventional-changelog gets out in the wild, it is important to react quickly and find out which applications might be affected.
Sonatype Lifecycle contains the API for this, the Component Search API. I have recorded the video below showing how to use Sonatype Lifecycle to find a list of all applications with this vulnerable component.
The search syntax I used in the above video is as follows. I use curl to simplify the request, but feel free to use any method of making http requests.
curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier={"format":"a-name","coordinates":{"name":"conventional-changelog-core","qualifier":"","version":"1.2.0"}}"
stageID tells IQ server which previous scans to look for - depending on which environment. To search for scans with production artifacts, you would use 'operate'. Other possible values: develop, build, stage-release, release, operate
componentIdentifier contains the search term
format corresponds to the type of package you're searching for. In this case, we're searching for authoritative JavaScript packages - a-name for short.
name in coordinates corresponds to the name of the package we're searching
version is the version you want to search for.
To pass the search to the API, you must URL encode your component identifier.
curl -u admin:admin123 -X GET "http://localhost:8070/api/v2/search/component?stageId=operate&componentIdentifier=%7B%22format%22%3A%22a-name%22%2C%22coordinates%22%3A%7B%22name%22%3A%22conventional-changelog-core%22%2C%22qualifier%22%3A%22%22%2C%22version%22%3A%221.9.0%22%7D%7D"