Sonatype's Integrated Development Environments (IDE) extensions provide development teams with direct access to Sonatype's comprehensive component intelligence. The Visual Studio 2022 extension enables a true Shift-Left in application security for development teams by putting security into the development workflow, allowing developers to build secure applications quickly. Sonatype Extension for Visual Studio provides component analysis for the Community, Professional, and Enterprise versions of Visual Studio. New functionality in Visual Studio 2022 The Sonatype Visual Studio 2022 extension has complete parity with the previous extension. Expanded and new features found only in this version are listed in the Support Features section below. Compatibility This extension works with VS 2022 on Windows and Linux (if your Visual Studio has the ability to run on Linux using other extensions or extension ). The IQ for Visual Studio 2019 extension must be removed before installing the Visual Studio 2022 extension. The Visual Studio 2022 extension is not supported for Visual Studio on macOS. Supports both the Light and Dark themes available in Visual Studio 2022 Project Reference Managers Projects will need to be opened using a PackageReference or the older packages.config format to be analyzed. External Libraries At this time, the extension only supports the locally installed project cache libraries. Installing Sonatype for Visual Studio 2022 Sonatype for Visual Studio 2022 can be installed from within Visual Studio using the Extensions Manager or via the Microsoft Visual Studio Marketplace. Opening Sonatype for Visual Studio 2022 You can access the extension by navigating the menu for View -> Other Windows -> Sonatype Configuring Sonatype for Visual Studio 2022 IQ Server options are available from within the Visual Studio options dialog. Authorization using IQ Server Credentials A URL, Username, and Password may be entered to connect the extension to fetch data from the IQ Server. The Connect button is used to verify the connection:
Select the appropriate application as configured in the IQ Server. This is required to use the appropriately scoped policy set for your application. Using Certificate Authentication The extension supports using a certificate for authentication. Clicking the Select button, next to the Certificate field, will open a security dialog. By selecting a certificate, typed credentials will empty out and the certificate will be used for authentication. To revert and use typed credentials, fill in the username and password fields.
Windows Security prompt will display options from the Personal Certificates store. Managing this store is accomplished by using MMC and the Certificates Snap-In. To provide additional choices, right-click the Certificates folder and follow the prompts to install a certificate. Note: Ensure the Trusted Root Certificate Authorities store contains a record for the IQ Server reverse proxy.
Restarting Visual Studio and the IQ Server extension will open a certificate prompt to establish a secure connection. Using Sonatype for Visual Studio 2022 The Sonatype for Visual Studio tool window is accessed by clicking the Nexus IQ tab on the bottom tool strip of Visual Studio. It is also available in View under Other Windows. Once configured and the component analysis is completed, a component view will be displayed. Component versions and details are available by clicking on the component name in the Component list.
Review the Component Info View page for details on the returned Policy Threat levels. Supported Features Extension Management Icons
The "Migrate to Selected" button allows you to update your project dependencies for any Nuget direct dependencies without leaving the extension. The button will remain disabled until a supported version upgrade has been selected. Currently, npm components and transitive dependencies are not supported. Likewise, the button will be greyed out for the currently installed version. Component Dependency Types The components in the component display are labeled with the [D] and [T] prefixes to denote Direct and Transitive dependencies respectively. Transitive dependencies are the components brought into the application from the project's directly referenced dependencies. Find Usage Right-clicking a component from the components display shows the context menu. The option to 'Find Usage' will display the projects from which the component is requested. This is useful for multi-module projects to know which project was referencing this dependency.
Selected Component Details The selected component from the component display includes a button to access more details regarding the violations associated with the component. The opened window includes; Policy Violations, License Analysis, and Security Issues. Known CVEs are listed as Problem Codes that are linked to violation details in the IQ Server.
Component Filter The component filter is accessed to the left of the component display. This filter is used to sort the list of components to the component's dependency type or the severity of the component's highest violation.
Support for both Light and Dark Themes The extension is compatible with either Light or Dark themes found in Visual Studio 2022. The Blue theme will render the same as the Light theme.
RELEASE NOTES For more information about individual versions please visit the extension's official help page. |
