Sonatype for VS Code

Sonatype's VS Code extension integrates with Sonatype Lifecycle to assess and address dependency issues within your workspace, aiding developers in ensuring compliance with organizational policies and facilitating informed decisions on dependency management.

Capabilities

You can use the extension to connect to Sonatype Lifecycle and evaluate dependencies against organizational policies. Drill down into all of your dependencies, examine each component version for violations, and easily determine if an upgrade or change to a different version is necessary.

Extension can be run in local VS Code, VS Code running in GitHub Codespaces and supports Visual Studio Code Dev Containers and WSL2.

Quickstart

After installing the extension:

• Go to Sonatype for VS Code settings
• Enter the IQ Server URL and your credentials
• In Sonatype panel, click on "Run Component Analysis"

Supported Languages and Ecosystems

• Java (Maven and Gradle)
• Javascript (npm, pnpm and Yarn)
• Go (Go modules)
• Python (Poetry, pip)
• Rust (Cargo)
• PHP (Composer)
• C (Conan (1.x only))

Requirements

Sonatype for VS Code must be used together with Sonatype Lifecycle. The extension needs to be configured to point to a Sonatype Lifecycle instance with the appropriate credentials.

Extension Settings

Configuration can be done in VS Code's extension settings: Settings > Extensions > Sonatype for VS Code. At minimum, the extension requires the IQ Server URL and the credentials to be set. Password can either be entered using "Sonatype: Set IQ Server Password" command or by using the SONATYPE_IQ_PASSWORD environmental variable. You can clear your password by using "Sonatype: Clear IQ Server Password" command.

Additional settings that can be configured are

• Including or excluding development dependencies from the overall analysis.
• Parallelization - higher values mean the component analysis will be faster, but it requires more resources from VS Code; lower values mean the component analysis will be slower, but it will have less impact on VS Code's performance.
• Starting the Analysis on VS Code Startup for the opened workspace.

Overriding Settings per Project

You can override the properties by including a Sonatype configuration file in the project's root folder with one of the following filenames:

• .sonatype-config
• .sonatype-config.yml
• .sonatype-config.yaml

In this file, you can choose at per project (workspace folder) level which Lifecycle application is used for analysis; whether to include or exclude development dependencies; and you can also enforce the ecosystem for the current project (you may want to do this to exclude analysis of a certain ecosystem in a given folder or to specify only certain ecosystems to be analyzed).

Syntax with examples is as follows:

iq-for-vscode:
  applicationId: application-id-in-lifecycle
  includeDev: false
  type: ['maven', 'npm']

Possible values for the type field above are: 'maven', 'gradle', 'npm', 'yarn', 'go', 'pip', 'poetry', 'cargo', 'composer', and 'conan'.

For maven, the settings.xml to be used can be overridden as well. Path to the settings.xml can be specified as follows:

iq-for-vscode:
  maven:
    settingsXmlPath: '/.m2/alternative-settings.xml'

For pnpm, list depth for transitive dependencies is by default set to 4. This can be overridden as follows:

iq-for-vscode:
  pnpm:
    listDepth: 8

For pip, you can specify a custom virtual environment path as follows:

iq-for-vscode:
  pip:
    venvPath: customVenvPath

Custom folders to be analyzed can be input as follows:

iq-for-vscode:
  lookupFolders: ['subfolder', 'another/sub/folder']

Folders provided in the lookupFolders property must be relative to the root folder.

Running the Extension

The extension tries to determine the ecosystems for all open folders in the workspace by checking the existence of various manifest files. It discovers all the dependencies using the manifest content and/or by running certain commands specific to each ecosystem, then analyzes the components against the policy sets associated with the target application in Lifecycle. See the list below for the manifest files used to identify the ecosystem.

Component details can be seen by clicking on the component in the Component Tree. This also populates the Version History for the selected component, where different versions for the same component can be selected to examine the details for that particular version.

Both the Component Details View and the Version History View supports filtering components by severity levels. Multiple severity levels can be selected in both views, independent of each other. Sonatype recommends filtering by "Medium" and "High" severity levels in the Component Details View, and "None" and "Low" in Version History view.

Language and Ecosystem Identification

Java

Maven

pom.xml must exist in the project's root folder and an installation of mvn must be present.

Gradle

One of settings.gradle, build.gradle or build.gradle.kts must exist in the project's root folder and an installation of gradle must be present.

The extension relies on the following configurations to build the dependency tree:

• runtimeClasspath - if the "Include Development Dependencies" flag is disabled in settings, or
• testRuntimeClasspath - if "Include Development Dependencies" is enabled.

Developers can also define custom configurations derived from the standard ones. However, the extension does not currently handle these custom configurations.

Refer to the Java plugin documentation for more details on Java dependency management with Gradle.

Javascript

npm

package.json and package-lock.json must exist in the project's root folder and an installation of npm must be present.

pnpm

package.json and pnpm-lock.yaml must exist in the project's root folder and an installation of pnpm must be present.

Yarn

package.json and yarn.lock must exist in the project's root folder and an installation of yarn must be present.

Go

go.mod and go.sum must exist in the project's root folder and an installation of go must be present.

Python

Poetry

• pyproject.toml and poetry.lock must exist in the project's root folder.

pip

• requirements.txt must exist in the project's root folder and an installation of pip, pip2 or pip3 must be present. Components must be installed in the virtual environment prior to scanning as only the installed components will be discovered. Plugin will search the project root folder, .venv and venv folders by default. You can also specify a custom virtual environment folder using the sonatype-config file.

Rust

Cargo

• cargo.toml and cargo.lock must exist in the project's root folder.

PHP

Composer

• composer.lock must exist in the project's root folder.

C

Conan

• conan.lock must exist in the project's root folder.

Known Limitations

The extension has support for resolving transitive dependencies and including/excluding development dependencies, with the following exceptions:

• A dependency tree cannot be built for Pip; all dependencies are shown in a flat list.
• Dependency scope information is not supported for Pip and Go

Release Notes

Please check the changelog for more details.