Nexus Vulnerability Scanner FAQ

Nexus Vulnerability Scanner

Note: No source or binary code is ever exposed, uploaded, or sent to Sonatype.

What does Nexus Vulnerability Scanner do?

In minutes you'll analyze your application and uncover potential security, licensing, and quality problems.

The Summary report you will receive provides a snapshot of the number of components found, as well as the number and types of risks, if any. The Detailed, Full Report provides a specific inventory of components and associated risks, coordinates, etc. See a sample of the full, detailed report.

The report can be used to not only evaluate your own internal applications, but also check the quality of the code received from third party vendors.

How does Nexus Vulnerability Scanner work, and what information is sent to Sonatype?

Nexus Vulnerability Scanner uses short hashes for component identification. In order to best protect your intellectual property, only these limited signatures of your application's components will be exchanged with the Sonatype Data Service -- i.e. no source or binary code is ever exposed, uploaded, or sent to Sonatype. These component signatures are then matched against a database of security, quality, and licensing information in order to generate your comprehensive report.

Here’s an example of what the information transmitted to Sonatype looks like:

  <item key="013b4d333e95f3a5ac765fc2a3ab05e9f29d7952"

The security, safety, and anonymity of your data is our greatest concern, and we take the necessary steps to ensure that.

What types of Applications can I evaluate?

Nexus Vulnerability Scanner currently supports evaluating Java applications (the binary, not the source), which contain Java components/artifacts. In addition to the standard jar, war and ear file types, Nexus Vulnerability Scanner will also analyze these additional file extensions: aar, har, hpi, mar, nbm, rar, sar, tar, tar.bz2, tar.gz, tb2, tbz, tgz, wsr, zip.

How can I identify my proprietary (internally developed) components?

Listing your proprietary packages allows you to specify which components are unique to your organization. By doing this, we will use this information to identify these components in the report as proprietary, helping you focus on external components.

In this field, simply enter the prefix for your package namespace. For example, com.mycompany, which will mark everything found in the path of com/mycompany as a proprietary component. If you wish to enter multiple packages, separate these by a comma or new line break.

Note: These components will still be evaluated and matched accordingly.

How do I use Nexus Vulnerability Scanner?

Evaluating an application is pretty easy, but sometimes can be a little confusing at first.

The most important thing: make sure you are evaluating something that is a Java application (the binary, not the source). Sometimes people try to use a variety of files just to test or try something out. That makes sense, but it won't produce any results. If you want to test out this tool, try one of these sample files first.

Once you are ready to analyze an application, you will be asked for the following information:

  • Email Address: The email address entered here is where we will send a link for your report. It will also serve as your user name for accessing the report.
  • File to Evaluate: Select a Java Application archive to evaluate. This will typically be a war or zip containing other wars or jars. Run Nexus Vulnerability Scanner on your binary archive and we'll send you a report with details about the components you're using.
  • Name for Report: Choose a name for your report, such as your application name so you can keep track of analyses conducted for more than one application. If you don't provide a report name, we'll just use the name of the file you selected.
  • Password: A password is required to help prevent unwanted access to your report. If you have forgotten your password, you can contact our support team for further assistance, or simply re-evaluate your application.
  • Proxy Server Settings (optional): Nexus Vulnerability Scanner uses https to communicate with the Sonatype Data Service. If you need to connect through a proxy to browse the web, enter those details here.
  • Proprietary Packages (optional): Use this field to give Nexus Vulnerability Scanner information about what Java packages are proprietary. We will use this information to identify these components in the report, which will help you focus on external components. The values in this box are compared against the Java packages of the components being evaluated. If we find a match, then the component will be flagged as proprietary. In the event you wish to enter multiple packages, separate these by a comma or hard return.


Need help understanding your report?

Please visit our Guide to the Nexus Vulnerability Scanner .

Who is Sonatype?

The Nexus Vulnerability Scanner is a free community service offered by Sonatype. We have a long history of support for the open source community as the stewards of the Central (Maven) Repository, providers of the world-leading Nexus Repository Manager and Component Lifecycle Management. Learn more at our web site:

Have more questions? Submit a request


Article is closed for comments.