Selecting OSS Components: Three Questions Answered by Nexus Pro

May 07, 2012 By Tim OBrien

2 minute read time

There are over 400,000 components in the Central repository including everything from servlet containers like Apache Tomcat to critical application infrastructure like Spring and Hibernate. When you are designing an application or trying to update an application's dependencies, how do you choose which component to use?

Here's an example of a decision you may have to make in the next few months. Assume you have the chance to use a newer version of Spring, evaluate Hibernate vs. iBatis, and adopt a new REST-friendly web framework. For each of these new and updated components you are going to have to ask yourself three questions:

  • Which version of the library has the largest "install base"? It often doesn't make sense to use the latest version of a component, especially if it is a major release. If you are looking to reduce risk, don't code on the "bleeding edge" of technology. Use the most popular version of a component.
  • Which version of the library is free of security vulnerabilities? The only thing worse than getting hacked is realizing that you got hacked because you weren't paying attention to known vulnerabilities. If you are upgrading to a new version of a library, make sure it is secure.
  • Which version of the library is compatible with your OSS license policy?

Nexus Professional 2.0.4 brings the answer to all three of these questions to the search results. Here are the search results showing the results for tomcat-catalina. We've combined popularity data from Central with security and licensing information.

Without the popularity data you might have just selected the latest version of the library, version 7.0.27 which has been available for 37d. If I were selecting components for an application, I would likely stick with Tomcat 7.0.25 based on the relative popularity of the artifact alone. 7.0.25 is, far and away, the most popular artifact of this group.

Sonatype's Nexus Professional is the only product that incorporates popularity data directly from Central. If you are interested in using Nexus Professional to evaluate your dependencies, download a copy and start your trial today.

Tags: Nexus Repo Reel, Sonatype Says

Written by Tim OBrien

Tim is a Software Architect with experience in all aspects of software development from project inception to developing scaleable production architectures for large-scale systems during critical, high-risk events such as Black Friday. He has helped many organizations ranging from small startups to Fortune 100 companies take a more strategic approach to adopting and evaluating technology and managing the risks associated with change.

Learn more on: