Selecting OSS Components: Three Questions Answered by Nexus Pro


May 7, 2012 By Tim O'Brien

There are over 400,000 components in the Central repository including everything from servlet containers like Apache Tomcat to critical application infrastructure like Spring and Hibernate.    When you are designing an application or trying to update an application’s dependencies, how do you choose which component to use?

Here’s an example of a decision you may have to make in the next few months.    Assume you have the chance to use a newer version of Spring, evaluate Hibernate vs. iBatis, and adopt a new REST-friendly web framework.   For each of these new and updated components you are going to have to ask yourself three questions:

  • Which version of the library has the largest “install base”?  It often doesn’t make sense to use the latest version of a component, especially if it is a major release.   If you are looking to reduce risk, don’t code on the “bleeding edge” of technology.  Use the most popular version of a component.
  • Which version of the library is free of security vulnerabilities?  The only thing worse than getting hacked is realizing that you got hacked because you weren’t paying attention to known vulnerabilities.   If you are upgrading to a new version of a library, make sure it is secure.
  • Which version of the library is compatible with your OSS license policy?

Nexus Professional 2.0.4 brings the answer to all three of these questions to the search results.  Here are the search results showing the results for tomcat-catalina.    We’ve combined popularity data from Central with security and licensing information.

Without the popularity data you might have just selected the latest version of the library, version 7.0.27 which has been available for 37d.   If I were selecting components for an application, I would likely stick with Tomcat 7.0.25 based on the relative popularity of the artifact alone.   7.0.25 is, far and away, the most popular artifact of this group.

Sonatype’s Nexus Professional is the only product that incorporates popularity data directly from Central.   If you are interested in using Nexus Professional to evaluate your dependencies, download a copy and start your trial today.

  • Stephen

    Since the license issue was mentioned as one of the three questions addressed, can you please clarify why version 7.0.26 and 7.0.27 are shown as having a different level of “License Threat” than earlier versions?