Announcing Nexus Professional 2.0


February 15, 2012 By Brian Fox

Sonatype is pleased to announce Nexus 2.0, a major update for Nexus including several major features and features that add a new layer of intelligence about the artifacts stored in your repositories.

Today is a big day in the history of Nexus. It has been six years since Nexus was created and the product hasn’t only come along way since then, it has set the standard for repository management. When we started, few people were thinking about running a local repository manager. These days, you’d have to work to find a serious development effort that doesn’t use one. Repository managers are essential.

Today Sonatype is redefining repository management, taking the core ideas of remote proxies and hosted repositories and adding a layer of intelligence. Everyone consumes open source. You couldn’t code anything worth coding without using something like Guice, Spring, or a hundred other essential libraries. Even though OSS is everywhere, very few organizations are paying attention to license and security information about those artifacts. We’re changing that today by making Insight integration a part of Nexus.



Repository Health Awareness

In Nexus 2.0 you have the ability to request a repository health check from the Sonatype Insight service. Our Insight service maintains a database of security vulnerabilities and open source licenses. We scan source distributions to identify inconsistencies between declared licenses and effective licenses, and our security database is constantly scanning for the latest vulnerabilities.

When you submit a repository for a Repository Health Check, the process is non-invasive and non-disruptive. Nexus sends non-identifiable hash codes for artifacts to the Insight service which then returns actionable quality, security, and licensing information about the open source components in your repositories. From the Insight summary report you can see your exposure to both security vulnerabilities and various open sources licenses.

Repositories are scanned for artifacts with known security issues producing summary reports showing how many Critical, Servere, and Moderate vulnerabilities are present in a given repository. Licensing reports generate a overall summary of your exposure to copyleft licenses like GPL, and liberal licenses such as the Apache license. Nexus Professional customers can drill down into a detailed reports identifying specific components with unacceptable licenses or security vulnerabilities.

These reports can be used to implement policies managing your exposure to security risks and tracking the array of open source licensed used by your development teams.

Availability Architecture – Smart Proxy

If you require more than one instance of Nexus, Nexus Professional 2.0 has an entirely new availability architecture making it easier to support distributed teams. If you run several instances, the smart proxy capability new in Nexus 2.0 connects two or more instances of Nexus in real-time. This adds an intelligent, distributed mechanism to keep repositories in sync. One instance of Nexus subscribes to messages from another receiving repository change events notifying it of newly published artifacts.

Before Nexus 2.0, distributed architectures had to resort to a workaround that affected performance, not found caches for snapshot repositories had to be set very low and reduced the benefit of having local caches. After Nexus 2.0, distributed teams can collaborate closely knowing that a Nexus smart proxy is keeping repositories in sync without sacrificing performance. When two Nexus instances and two repositories are related using Smart Proxy, one repository subscribes to events published by the other. This means that changes are communicated immediately.

Smart proxy makes Nexus aware of distributed deployment architectures. This makes Nexus 2.0 ready for the the largest, most mission critical Nexus installations.

.NET Package Repository

If you develop .NET applications, Nexus Professional 2.0 adds support for NuGet. NuGet is a Visual Studio extension that makes it easy to install and update open source libraries and tools. NuGet Gallery is the equivalent of the Central repository for .NET developers and with Nexus 2.0 you can proxy and cache artifacts from NuGet Gallery on your local Nexus instance.

In addition to proxying NuGet repositories in Nexus you can also publish your own .NET packages to hosted repositories. This new ability to use Nexus as a publishing end point for internal .NET applications means that your development teams can start to share libraries using a corporate NuGet repository.

Nexus adds full support for .NET, in addition to proxying and hosting repositories, Nexus 2.0’s .NET support enables you to group NuGet repositories. You can also create virtual NuGet repositories that scan other repositories for NuGet packages and expose them to the NuGet feed.

Nexus 2.0 provides first-class support for .NET artifacts, with this release you get a common place to manage artifacts for both .NET and Java development efforts.

Conclusion

There are other features in the 2.0 release that we’ll be talking about in the coming weeks, but these three major features: Repository Health Check, Smart Proxy, and NuGet support are important upgrades to the Nexus project. To find out more about how you can start your evaluation of Nexus Professional, go to http://sonatype.com/nexus.