The Challenge
Prior to using Nexus to manage, track and monitor package downloads, there was no scalable way to determine the potential liability associated with licenses for open source components used across the company.
The Engineering Management Team became concerned with the licensing issues raised by the use of open source components. Their initial process was to manually report use of new components to the information security team who would then have to evaluate potential risks. This process did not scale and was not adequate to keep pace with the volume of open source components being consumed in development. The extended duration of manual approval processes became bottlenecks to releasing software into production. In some instances, this meant that applications requiring analysis were not being shared with the information security teams.
“We have over 40 applications in production,“ explained Olivier Routier, head of CI for the DevOps Engineering team. Olivier is responsible for the integration of Nexus Repository Manager within the DevOps pipeline. Nexus is used to facilitate project builds and to map the libraries within the EDF SI. “There was little to no visibility into the libraries used within a project before we found Nexus.“
Retrospective manual security practices were in place during downstream information exchange sessions between the security and development teams, but there was little visibility into the application projects after deployment. “Manual processes don’t have the ability to track and monitor open source and third-party libraries within that many applications,” explained Olivier.
The major challenge the engineering team wanted to overcome was how get visibility into open source component usage within their applications.
The Solution
The engineering team at the eDF Group was responsible for adding Nexus Lifecycle and IQ server into their build process. The team now used Nexus Lifecycle ingrated with Eclipse, SonarQube, and Jenkins. They also integrated Ansible and OpenShift to create a continuous DevOps pipeline. The eDF Group started using Nexus with a small group of users after meeting Sonatype at several industry conferences and then inviting us to map out the possibilities. A key feature in eDF's decision to use Nexus Lifecycle was its integration with Jenkins.
The first step of getting approval for using Nexus Lifecycle was getting the security team buy-in. “If you want to create a DevOps process within your company, you must integrate your security team. With DevOps, there’s a lot of change in our processes as a result of applying more automation,” says Olivier. “A good relationship with the security team is an important one. “
He worked closely with the security team to demonstrate the value of the IQ Server reports within Nexus Lifecycle, showing the ease of creation and the accuracy of the output. “With IQ Server, you can see the transitive dependencies. Using it for the first time was like opening a wonderful gift,” Olivier said while shaking his head. "Not only is the tracking and monitoring automated, you also have the ability to launch the process manually and analyze a specific package as needed."
He worked closely with the security team to demonstrate the value of the IQ Server reports within Nexus Lifecycle, showing the ease of creation and the accuracy of the output. “With IQ Server, you can see the transitive dependencies. Using it for the first time was like opening a wonderful gift,” Olivier said while shaking his head. "Not only is the tracking and monitoring automated, you also have the ability to launch the process manually and analyze a specific package as needed."
Olivier performed tests on what information Nexus IQ server was bringing back to verify the accuracy of the data. The first thing the team did was run their WebLogic server binary through IQ server to match top-level information from a previous security report with recommendations on what to patch. The data from the Nexus IQ reports was far superior than the results delivered from the previous process.
Nexus Lifecycle's dashboard reporting empowered the developers and project teams to know what was in the libraries that were used to build the applications. The high quality of the data available in the IQ Server reports encouraged the security team to "use their own budget for it on other projects.”
The Outcome
Because of the reliability of information coming out of Nexus Lifecycle and IQ Server, the eDF project team can rapidly choose a safe version of a component, confident with their knowledge of known security and license issues. They can then track and monitor the use of those components early and everywhere through their development and deployment lifecycle.
“The biggest advantage of using IQ Server is to be able to report to our project team what specific libraries are used within our applications, with the security issues or license risks associated with those libraries. We have immediate visibility into any component that is out of compliance with our policies. That’s why we chose IQ Server. We automatically track and monitor libraries as part of our development process. Now, we’re expanding the use of Nexus outside our DevOps teams and projects.”
When asked if he would recommend Nexus Lifecycle and Nexus IQ Server, Olivier’s response is telling. “Yes. Your product is great. I can say this, because I use it.”
