0 of 106 questions completed
You have already completed the knowledge check before. Hence you can not start it again.
Knowledge Check is loading…
You must sign in or sign up to start the knowledge check.
You must first complete the following:
Time has elapsed
Sonatype Founders are credited with developing which build system?
Sonatype’s business developed through the support of which open source package service.
Which statement is true (there maybe more than one), Sonatype Nexus Platform automates …..
Who is your partner technical manager at Sonatype
Sonatype Customer Facing Teams Include who
If a Sonatype product fails or there is a technical problem, you do what?
What is the role of Customer Success?
Who introduced the concept of supply chain management?
What do Sonatype define as the “Tenants of Software Supply Chain Management”?
What commercial products are available from Sonatype
Software Compositional Analysis is?
Which Sonatype tools support SCA?
The Nexus SCA products are all enabled by
Nexus IQ Server includes
What feature provides the ability to identify, quantify and report OSS security and license issues?
The major part of the Nexus IQ Server is policy management, what is the main purpose of policy (one or more maybe applicable)?
In the Nexus IQ Server, application categories define which policies are applied to applications, what are the default categories based upon?
Policies can be defined to identify what kind of risk?
Policy Actions allow enforcement, what is the recommended configuration for enforcement in a production environment?
Notification allow for new policy violations at any stage to be pushed to consumers. What notification options exist?
Labels in the Nexus IQ Server allow components to be
License policy use groups to aggregate the threat posed by the license what?
Which are license threat groups in the Nexus IQ Server
Data Retention allows you to
Nexus IQ Server is hierarchical, which includes a Root Organization, Organization and Application levels. Root Organization is used to define policies which are inherited by all organizations and applications. which statement is true
Access controls within the Nexus IQ Server provide what roles
In the Nexus IQ Server, policies, the proxy stage is used ……
Application scanning allows you to create a
What file types can be scanned by the Nexus IQ Server clients, by default?
What mechanisms allow you to generate a bill of materials
CIP stands for
The display for the CIP provides information on a component including
If you need to understand where the file/component exists within the context of the scanned application where should you look?
The sBOM (software bill of materials) described license details for each component, Defined, Observers and Effective licenses. Where do Observed licenses come from?
Security Vulnerability Information for each identified vulnerability in a component is accessible through
Each vulnerability identified as a threat to a component is identified by which parameters
A typical public vulnerability declaration each containing an identification number, a description, severity (CVSS) and at least one public reference—for publicly known cybersecurity vulnerabilities. The Sonatype Vulnerability Data adds significant value to a SCA report, by providing
Project Advisories within the Vulnerability Information provides references to
What reports are available from the sBOM
The PDF report provides links to the public CVE details (NVD), and no details related to Sonatype specific vulnerabilities (which are not public). Where can you get a report to provide users access to this information
The Nexus IQ Cli is a java apThe Nexus IQ Cli is a java application, the format of the command to scan an application is
Java –jar nexus-iq-cli.jar –a user:password –i application id –s server url target archive
What other switch would be recommended when scanning an application in order to access the report via the Application, the format of the command to scan an application is
When you scan an application using the Nexus IQ clients, which information identified the application within the Nexus IQ Server?
The Root Organization is typically?
Within the Nexus IQ Server, what is an organization for
What effect does deleting an Organization within the Nexus IQ Server have?
Nexus IQ Server mandates which version of java to run
Nexus IQ Server Requires access to which internet service
OS vulnerability information comes from a variety of sources, what is the main public source
IT Vulnerabilities are calculated using a quantitative model to ensure repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Sonatype Currently use this system to rank security threats within policy, what is this model called?
Where do projects typically get Open Source component from?
There is a security event overload, due to increasing volumes of OS component in use; pulled from multiple locations, with many new revisions daily. Software development teams have a major challenge to ensure that use of OS components pose minimal risk to the business. What are Sonatype data sources to identify security vulnerabilities
In order to identify a threat posed by the OSS components used to construct an application to reduce the false positives and false negatives which Sonatype proprietary solution allows you to automate your DevSecOps processes you need. How do Sonatype identify the components within your application?
CPE is considered to be an industry standard that is used to provide a uniform way to show information on Operating Systems, hardware, and software. It can be used for software and hardware inventory and better vulnerability management when using the results from one product to be tracked in a different product. Why is this insufficient for precise identification of vulnerabilities?
How do Sonatype process security events, such that they are available to customers to consume?
The public CVE information is often inaccurate, not up to date, and reserved CVEs are not immediately actionable. In addition, not all projects declare their security vulnerabilities publicly, taking feedback from users, fixing problems, and releasing new versions with no public disclosure. In order to automate you need to know the risk associated with all of your OSS components …
Sonatype precisely identify OSS components in applications using cryptographic hashing. This creates a hash for the application, the outer file (jar/tar/war) and all of the contents, file/folders within the application. This results in a scan.xml.gz file eventually saved within the Nexus IQ server. This is more commonly referred to as the
The hashing of the files and folders within a typically application allows Sonatype to perform what kind of matching?
Similar matching is somewhat unique to Sonatype’s solution; how does similar matching operate and what does it allow customers to do?
Identifying security is a primary reason for employing SCA technologies within the SDLC. What other kind of risks can be identified using Sonatype Nexus IQ Server?
What license information does Sonatype provide to the end user?
Effective license comes from the aggregation of declared and observed licenses. In many cases this can create a long list of licenses which may be applicable. What should you do?
Obligations are the legal criteria defined within the license, these determine the license threat. What are examples of obligations
Given that Sonatype have catalogued more than 1500 OS licenses; how do you create a threat profile that allows a common presentation of risk within the Nexus IQ Server?
Precision allows automation, when considering legal as well as security issues. What are some of the problems associated with identifying the license details that you need to understand the risk associated with the use of OS components in your applications?
Allowing a legal team to reference the license details is important to categorizing the risk associated with the license obligations. Many legal teams will categorize the licenses differently based on their attitude towards risk, therefore the LTG can be customized by each customer. Where can the legal team find this information currently?
Everyone has a software supply chain what part does the Nexus Repository Manager play within the software supply chain?
A repository manager allows you to both consume components from multiple sources (typically public repositories), and manage applications with the business. How does Nexus Repository Manager describe those repositories?
In order to construct modern applications developers must consume components from multiple sources. This includes public and private repositories, as well as internal shared components. In order to reference each of these repositories a developer would have to reference each one as part of their build processes. How does NXRM simplify this?
Within NXRM repositories manage components, where are repositories stored?
The binary assets you download via proxy repositories or publish to hosted repositories. Repositories are mapped to a blob store. What are blob stores?
When you create a repository, the required attributes are defined by?
When you create a repository, several attributes are required. Some are mandatory for user configuration, others provide default configuration. One of the problems with some public repositories is that components are not immutable, Nexus Repository Manage solves this for hosted repositories by?
A group repository allows you to logically map hosted and proxy repositories into one structure, when creating a group what is a best practice?
Nexus Repository Manager provides a basic facility to identify threats associated with the consumption of open source components. What is this facility?
Repository Health check integrates only with proxy repositories, typically those linked to public repositories. In Nexus Repository Manager Pro what information does it provide above the OSS product?
Maven is probably the most popular build framework for the Java eco-system. The default behavior of maven is to reference maven central (https://repo1.maven.org/maven2/). In order to consume dependencies, the client and or build software to support a secure software supply chain, the maven tool needs to be configured to reference your secure private Nexus Repository Manager. What do you have to do?
Configuring a settings.xml provides access to download dependencies from a secure software supply chain repository. How do you publish your applications or components to the repository manager?
What are the Sonatype Tenants of Software Supply Chain Management
Which product deliver the ability to select the right suppliers in the software supply chain?
Which product delivers the ability to fix problems early?
Nexus lifecycle foundation provides an entry level product that generates a software bill of materials for a project, but provides limited capabilities to automate the remediation of threats identified. This is the remit of the Nexus lifecycle product, how do you enable the advanced lifecycle features?
What major features does Nexus Lifecycle enable over the lifecycle foundation product?
Policy enforcement is a key capability within the policy engine, how do Sonatype recommend you implement these actions?
Not all issues need to be fixed, but this should be the exception not the rule. Waivers should require justification, such as
Waivers can be scoped what Is the generally recommended scope of a waiver?
What are options do we have to remediate security issues after a scan has been completed?
License triage, there are no false positives given that licenses are pulled from the project object model, source code and in some cases the project website that is not normally associated to a specific version. If there are multiple effective licenses what do you do?
Architectural policy provide the project with hygiene related results, identifying components which exceed desirable architectural attributes, such as age, identifies components which should be clean-up, such as junit etc. What other policy do we typically represent?
Dealing with Other policy issues is primarily dealing with the “other” policy category, this includes dealing with
Unknown Components are closed source; typically developed internally or delivered by a 3rd party. Assuming that we understand the provenance of the component the advice from Sonatype would be to
Security are typically a small group within a business, but ensuring that applications are secure is everyone’s responsibility; how do Sonatype describe their solution to enable this
Shifting left requires integrations into the areas which the developer operates, creating as little friction as possible, what integrations do Sonatype offer to enable this
One way to ensure that OS risk is not introduced into an organization is to prevent components which pose a risk from being introduced. What product does Sonatype provide that allows business to audit their component ingestion, and quarantine those which exceed a particular risk threshold?
Audit and Quarantine functionality is delivered via the Nexus Firewall product which represents?
Audit and Quarantine is available for most but not all eco-systems, which type of repository does it integrate?
The results from the repository health check and audit and quarantine report show different results?
Accessing the audit and quarantine report allows teams to review the reasons why components have been denied access during their build process. What is ther
To Configure Nexus firewall to quarantine components which breech policy you must
The intent of the quarantining is to prevent OS risk by blocking components being downloaded as part of the SDLC. However, in some cases there may be some unique functionality that justifies allowing certain components through the Nexus Firewall, what statements are true?
Component hygiene can be described as “being like milk”; just like milk goes off over time OS components become subject to more and more scrutiny as groups and individuals look for flaws in the original code to exploit. This means that one day a component is fine, passes through the Nexus Firewall, but the next day a new security vulnerability is identified. This is known as a
Sonatype AVD and Security Researchers treat zero-day vulnerabilities as a priority, these vulnerabilities are fast tracked into the HDS (hosted data services) so that customers get notification as soon as practicable, such that they can mitigate the risk of an exploit from a 3rd party. How is notification of a xero day generated in the Nexus Lifecycle product
Staging within the Nexus Repository Manager provides the ability to?
Staging within Nexus IQ Server provides the ability to promote the application scan from one stage of the defined lifecycle to another. The main purpose of this is to allow
what are the three phases associated with building a secure software supply chain,
When onboarding an application into the Nexus IQ Server, what feature reduces the friction of teams adopting the solution
Typically, when scanning applications for the first time, teams are presented with an overwhelming number of threats highlighted within their application. In many instances not everything has to be fixed immediately, but many organizations would like to see a “clean report, with no outstanding threats” before allowing an application to release in to production. What feature can be used to limit the policy violations when adopting Nexus lifecycle