Skip to main content

Updating License Threat Groups in Bulk

Dariush Griffin
Updated

The License Threat Group Updater tool discussed in this article is not an officially supported product feature.

The Sonatype Data Team releases updates to License Threat Groups (LTGs) on an almost monthly basis. These updates contain both shifts in the mappings and new licenses that have been researched by our legal researchers.

Updates are not automatically applied to your local IQ Server instance.

Applying these updates may require some review by your own legal departments. At this time there is no formal UI built into IQ Server to wak users through that process.

In lieu of that, we do offer a CLI tool (LTG Updater) that can be used to apply these updates. The community thread is also where we post the CSV files that contain the latest mappings.

Instructions for Updating Nexus IQ License Threat Groups

Please consider backing up your existing installation prior to running the updater. For instructions: Backing up the IQ Server

usage: java -jar ltg-updater-1.0.0.jar -s http://localhost:8070 -u
       adminUser -p adminPassword -i path/to/update.csv -d -f [-d] [-e]
       [-f] [-h] [-i <arg>] [-p <arg>] [-s <arg>] [-u <arg>]
 -d,--default          Select all default choices.
 -e,--silent           Disable all input and output to the CLI.
                       Automatically selects default choices.
 -f,--force_review     Even if default choices or silent are selected this
                       option will force the review of license changes.
 -h,--help             Prints help message.
 -i,--input <arg>      Path to CSV file of license to LTG mapping.
 -p,--password <arg>   Admin password.
 -s,--server <arg>     Url to Nexus IQ server.
 -u,--user <arg>       Admin username.
[dgriffin@localhost license-ltg-updater

The updater currently only supports basic auth and must be supplied credentials for the Nexus IQ Admin user as it will make updates to the Root Organization LTGs. It is recommended that users enable the -d and -f options to select both default choices and to force a review of any license LTG changes .

java -jar ltg-updater-1.0.0.jar -s http://localhost:8070 -u admin -p admin123 -i license_ltgs_12052019.csv -d -f

Prompts

Add all unassigned licenses to LTGs in root organization? [Y/n]

This is asking if all currently unassigned licenses to should be assigned to LTGs in the Root Organization. Recommended answering ‘Yes’. This will also recreate any Sonatype defined LTGs that have been removed from the Root Organization for any reason.

License 'SautinSoft-Document-.Net-LA' is now assigned to LTG 'Banned', but that LTG does not exist in organization 'Sandbox Organization', would you like to create a new LTG for this organization that represents the 'Banned' LTG? [y/N]

This is asking if you would like to create a new LTG within this organization (‘Sandbox Organization’) that will contain all licenses in this update that Sonatype has assigned to ‘Banned’. If you are very particular about licenses, or have created an ‘approved LTG’, it may be best to not create this new LTG.

Keep the existing assignment for 'SautinSoft-Document-.Net-LA', assigned to 'My Restricted Licenses', in organization 'Sandbox Organization'? [Y/n]

If you didn’t create a new LTG for this license in this organization (‘Sandbox Organization’) it will ask if you want to preserve the existing assignment. It is recommended that you preserve this assignment. If you choose not to the license will be removed from the currently assigned LTG (‘My Restricted Licenses’). Removing the license might be acceptable depending on your policies as it will be added to the Root Organization LTGs if that option was selected at the start.

New LTG name: [Sandbox Organization Banned] 2019-09_license_update Banned
New LTG threat level: [10] 5

If you responded that you wish to create a new LTG you will be prompted for a new LTG name and threat level. After this LTG is created all future licenses in this update that would map to the Sonatype suggested LTG will instead map to your custom LTG for that organization.

Updating 'SautinSoft-Document-.Net-LA':
	'Internal Organization' : 'My Approved Licenses' -> 'My Approved Licenses'
	'Sandbox Organization' : 'My Restricted Licenses' -> '2019-09_license_update Banned'

The above update statement highlights the point above, that all licenses that Sonatype is assigning to ‘Banned’ will instead be mapped to ‘2019-09_license_update Banned’ for the organization ‘Sandbox Organization’.

Review LTG updates? [Y/n] y

New licenses added to Root Organization:

	Banned
		MS-Report-Viewer-Runtime-for-MS-SQL-Server
		MS-SCLR-For-Sql-Server-2016
		MS-VS-2015-Pre-Release-Software-License
		SautinSoft-Document-.Net-LA
		SautinSoft-Excel-to-PDF-.Net-LA
		SautinSoft-HTML-to-RTF-.Net-LA
		SautinSoft-PDF-Focus-.Net-LA
		SautinSoft-PDF-Metamorphosis-.Net-LA
		SautinSoft-PDF-Vision-.Net-LA

	Commercial
		MS-SQL-Server-2017-SMO-License
		MS-VS-2015-SDK-License

Updated licenses:

Sandbox Organization
	My Restricted Licenses
		SautinSoft-Document-.Net-LA
		SautinSoft-Excel-to-PDF-.Net-LA
		SautinSoft-HTML-to-RTF-.Net-LA

Internal Organization
	Internal Organization Banned
		MS-Report-Viewer-Runtime-for-MS-SQL-Server
		MS-SCLR-For-Sql-Server-2016
		MS-VS-2015-Pre-Release-Software-License
		SautinSoft-Document-.Net-LA
		SautinSoft-Excel-to-PDF-.Net-LA
		SautinSoft-HTML-to-RTF-.Net-LA
		SautinSoft-PDF-Focus-.Net-LA
		SautinSoft-PDF-Metamorphosis-.Net-LA
		SautinSoft-PDF-Vision-.Net-LA

	My Approved Licenses
		MS-SQL-Server-2017-SMO-License
		MS-VS-2015-SDK-License


Approve LTG updates? [Y/n]

After applying all of the updates you will be given the opportunity to review your changes.

Requirements

  • Java 1.8 or greater.
  • Nexus IQ 1.4x or greater.

Related articles