Scripting Nexus Repository 3

Article Contents

• Feature Summary
• Default Script Settings Nexus Repository 3.21.2 and Newer
• Default Script Settings Nexus Repository 3.21.1 and Older
• FAQ
  • How do I Enable All Script Features in Nexus Repository 3.21.2 and Newer?
  • How do I Temporarily Allow Adding/Editing a Script Source?
  • Why is Scripting Disabled by Default?
  • Can I Fully Disable Script Creation and Update Features in Nexus Repository 3.21.1 and Older?
  • What Can I Use Instead of Scripts?
  • What is the Script REST API Experience When Scripting is Disabled?
  • What is the Tasks UI Experience When Scripting is Disabled?

Feature Summary

Nexus Repository 3 provides a feature where scripts written in a supported JVM language (typically Groovy) can be executed inside its application container java virtual machine.

Script code has access to public and internal Java APIs making them useful to implement custom provisioning, reporting, workflows and fill gaps that are not otherwise available as core features.

There are two supported ways to add scripts:

1. Admin - Execute script scheduled tasks ( formerly Execute script )
2. Scripts added via the Script REST API

Default Script Settings Nexus Repository 3.21.2 and Newer

After Upgrade From Nexus Repository 3.21.1 and Older

DISABLED by default:

• Updating an existing script source or the Source of a Admin - Execute script task
• Creating a new script or Admin - Execute script task

ALLOWED by default for users with privilege:

• Updating an Admin - Execute script task setting other than the Source
• Running or deleting an Admin - Execute script task
• Script REST API operations that delete, list, run, or read scripts

While disabling the script feature is our recommended best practice, upgrading to a version where scripting is disabled will not prevent existing scripts or tasks from running.

New Installs Without Upgrade

DISABLED by default:

• Creating a new script or Admin - Execute script task

No scripts are pre-configured which effectively means any script feature cannot be used by default.

Default Script Settings Nexus Repository 3.21.1 and Older

All scripting features are ENABLED by default.

Creating, updating or manually running an Admin - Execute script task is available to a user with the appropriate nx-tasks privilege. Scheduled tasks will run according to their schedule.

Script REST API resource operations are available to a user with the appropriate nx-script privilege.

FAQ

How do I Enable All Script Features in Nexus Repository 3.21.2 and Newer

1. Edit $data-dir/etc/nexus.properties. Add the following on a new line, making sure the file is saved with an ending new line and with the original file permissions:

   nexus.scripts.allowCreation=true

2. Restart Nexus Repository to pick up the property change.

How do I Temporarily Allow Adding/Editing a Script Source?

Basic steps:

1. Add the property that allows script creation/editing.
2. Restart Nexus Repository.
3. As a user with appropriate privilege, add/edit a script or task. Optionally test the script.
4. Remove or comment out ( add leading # character ) the property which allowed script editing.
5. Restart Nexus Repository.

Why is Scripting Disabled by Default?

Scripting is a powerful feature that has an elevated risk of being a vector for a nefarious user exploit attempt.

Sonatype is continually reviewing security best practices. It was determined the safest default setting is to disable scripting on new installs and prevent script source changes to existing scripts on upgrade unless explicitly enabled. This change is analogous to improvements we have made such as not including a default admin user password.

Can I Fully Disable Script Creation and Update Features in Version 3.21.1 and Older?

No. Upgrade to Nexus Repository 3.21.2 or newer to access that default behavior.

Older Nexus Repository versions protect script execution only using privileges.

What Can I Use Instead of Scripts?

Nexus Repository has extensive REST APIs that accomplish many of the same objectives available by using custom scripts. We suggest browsing the in-product REST API documentation under Administration -> System -> API for the complete list of supported endpoints.

Operations such as cleaning up repository storage is a core feature and should be done using Repository Cleanup Policies.

If you think you have a scripting use case that others might benefit from, please check our documentation for a similar feature. An improvement request may already exist for a matching feature - vote for it and comment to express your interest. If you can't find an existing improvement request, file one of your own for us to consider.

What is the Script REST API Experience When Scripting is Disabled?

When scripting is disabled the following resources are affected:

• Add a new script: POST /service/rest/v1/script
• Update an existing script: PUT /service/rest/v1/script

Affected resources will respond with HTTP status line 410 Gone and the body of the response will contain a message Creating and updating scripts is disabled.

Script resources that perform read-only and run operations are not affected when scripting is disabled.

What is the Tasks UI Experience When Scripting is Disabled?

Creating a new Admin - Execute script task is not available. The screen where a new task type is selected will show a message stating "Admin - Execute script task creation is disabled.".

Existing Admin - Execute script tasks will be editable except for the Source field.