Sonatype's Integrated Development Environments (IDE) extensions provide development teams with direct access to Sonatype's comprehensive component intelligence. The Visual Studio 2022 integration enables a true Shift-Left in application security for development teams by putting security into the development workflow, allowing developers to build secure applications quickly.
Sonatype Extension for Visual Studio provides component analysis for the Community, Professional, and Enterprise versions of Visual Studio.
New functionality in Visual Studio 2022
The Sonatype Visual Studio 2022 plugin has complete parity with the previous plugin. Expanded and new features found only in this version are listed in the Support Features section below.
This extension works with VS 2022 on Windows and Linux (if your Visual Studio has the ability to run on Linux using other extensions or plugins.)
The IQ for Visual Studio 2019 plugin must be removed before installing the Visual Studio 2022 plugin. The Visual Studio 2022 plugin is not supported for Visual Studio on macOS. Supports both the Light and Dark themes available in Visual Studio 2022 Project Reference Managers Projects will need to be opened using a PackageReference or the older packages.config format to be analyzed.
At this time, the extension only supports the locally installed project cache libraries.
Installing Sonatype for Visual Studio 2022
Sonatype for Visual Studio 2022 can be installed from within Visual Studio using the Extensions Manager or via the Microsoft Visual Studio Marketplace.
Opening Sonatype for Visual Studio 2022
You can access the extension by navigating the menu for View -> Other Windows -> Sonatype
Configuring Sonatype for Visual Studio 2022
IQ Server options are available from within the Visual Studio options dialog.
Authorization using IQ Server Credentials
A URL, Username, and Password may be entered to connect the plugin to fetch data from the IQ Server. The Connect button is used to verify the connection:
Select the appropriate application as configured in the IQ Server. This is required to use the appropriately scoped policy set for your application.
Using Certificate Authentication
The extension supports using a certificate for authentication.
Clicking the Select button, next to the Certificate field, will open a security dialog. By selecting a certificate, typed credentials will empty out and the certificate will be used for authentication. To revert and use typed credentials, fill in the username and password fields.
Windows Security prompt will display options from the Personal Certificates store. Managing this store is accomplished by using MMC and the Certificates Snap-In. To provide additional choices, right-click the Certificates folder and follow the prompts to install a certificate. Note: Ensure the Trusted Root Certificate Authorities store contains a record for the IQ Server reverse proxy.
Restarting Visual Studio and the IQ Server extension will open a certificate prompt to establish a secure connection.
Using Sonatype for Visual Studio 2022
The Sonatype for Visual Studio tool window is accessed by clicking the Nexus IQ tab on the bottom tool strip of Visual Studio. It is also available in View under Other Windows.
Once configured and the component analysis is completed, a component view will be displayed. Component versions and details are available by clicking on the component name in the Component list.
Review the Component Info View page for details on the returned Policy Threat levels.
Plugin Management Icons
The "Migrate to Selected" button allows you to update your project dependencies for any Nuget direct dependencies without leaving the plugin. The button will remain disabled until a supported version upgrade has been selected. Currently, npm components and transitive dependencies are not supported. Likewise, the button will be greyed out for the currently installed version.
Component Dependency Types
The components in the component display are labeled with the [D] and [T] prefixes to denote Direct and Transitive dependencies respectively. Transitive dependencies are the components brought into the application from the project's directly referenced dependencies.
Right-clicking a component from the components display shows the context menu. The option to 'Find Usage' will display the projects from which the component is requested. This is useful for multi-module projects to know which project was referencing this dependency.
Selected Component Details
The selected component from the component display includes a button to access more details regarding the violations associated with the component. The opened window includes; Policy Violations, License Analysis, and Security Issues. Known CVEs are listed as Problem Codes that are linked to violation details in the IQ Server.
The component filter is accessed to the left of the component display. This filter is used to sort the list of components to the component's dependency type or the severity of the component's highest violation.
Support for both Light and Dark Themes
The plugin is compatible with either Light or Dark themes found in Visual Studio 2022. The Blue theme will render the same as the Light theme.