Sonatype for VS CodeSonatype's VS Code extension integrates with Sonatype Lifecycle to assess and address dependency issues within your workspace, aiding developers in ensuring compliance with organizational policies and facilitating informed decisions on dependency management. FeaturesYou can use the extension to connect to Sonatype Lifecycle and evaluate dependencies against organizational policies. Drill down into all of your dependencies, examine each component version for violations, and easily determine if an upgrade or change to a different version is necessary. Extension can be run in local VS Code, VS Code running in GitHub Codespaces and supports Visual Studio Code Dev Containers and WSL2. QuickstartAfter installing the extension:
Supported Languages and Ecosystems
RequirementsSonatype for VS Code must be used together with Sonatype Lifecycle. The extension needs to be configured to point to a Sonatype Lifecycle instance with the appropriate credentials. Extension SettingsConfiguration can be done in VS Code's extension settings: Settings > Extensions > Sonatype for VS Code. At minimum, the extension requires the IQ Server URL and the credentials to be set. Password can either be entered using "Sonatype: Set IQ Server Password" command or by using the Additional settings that can be configured are
Overriding Settings per ProjectYou can override the properties by including a Sonatype configuration file in the project's root folder with one of the following filenames:
In this file, you can choose at per project (workspace folder) level which Lifecycle application is used for analysis; whether to include or exclude development dependencies; and you can also enforce the ecosystem for the current project (you may want to do this to exclude analysis of a certain ecosystem in a given folder or to specify only certain ecosystems to be analyzed). Syntax with examples is as follows:
Possible values for the For maven, the
For pnpm, list depth for transitive dependencies is by default set to 4. This can be overridden as follows:
For pip, you can specify a custom virtual environment path as follows:
Running the ExtensionThe extension tries to determine the ecosystems for all open folders in the workspace by checking the existence of various manifest files. It discovers all the dependencies using the manifest content and/or by running certain commands specific to each ecosystem, then analyzes the components against the policy sets associated with the target application in Lifecycle. See the list below for the manifest files used to identify the ecosystem. Component details can be seen by clicking on the component in the Component Tree. This also populates the Version History for the selected component, where different versions for the same component can be selected to examine the details for that particular version. Both the Component Details View and the Version History View supports filtering components by severity levels. Multiple severity levels can be selected in both views, independent of each other. Sonatype recommends filtering by "Medium" and "High" severity levels in the Component Details View, and "None" and "Low" in Version History view. Language and Ecosystem IdentificationJavaMaven
GradleOne of The extension relies on the following configurations to build the dependency tree:
Developers can also define custom configurations derived from the standard ones. However, the extension does not currently handle these custom configurations. Refer to the Java plugin documentation for more details on Java dependency management with Gradle. Javascriptnpm
pnpm
Yarn
Go
PythonPoetry
pip
RustCargo
PHPComposer
CConan
Known LimitationsThe extension has support for resolving transitive dependencies and including/excluding development dependencies, with the following exceptions:
Release NotesPlease check the changelog for more details. |