Announcing Sonatype CLM (Component Lifecycle Management)


April 30, 2013 By Derek Weeks

We’re pleased to announce Sonatype CLM (Component Lifecycle Management). Although this is the official release date, we’ve been building off a number of mature technologies and we already have customers in production.

The CLM is a culmination of several factors:

  • The Nexus community has been an invaluable source of feedback. Although the repository manager is critical, we learned that managing components requires a complete lifecycle approach.
  • Sponsoring Sonatype Central allows us to expand the value that we provide to our customers. Security, licensing and quality intelligence is key to assessing risk and fixing flaws.
  • The explosive growth of component-based development using agile methodologies requires a different approach, a flexible approach that drives collaboration between development, security and compliance professionals.

You’ll notice how we use the phrase “Go Fast. Be Secure” to describe the CLM. This is a key Sonatype theme and illustrates our focus on helping development deliver applications fast while supporting the security goals of the CISO, the licensing goals of compliance, and the quality goals of the enterprise architects. We truly believe that it doesn’t have to be speed OR security, with the CLM, you can have both.

Other key design tenets that drove the CLM include:

  • CLM supports the entire development lifecycle by integrating intelligence in the tools that developers use today (Repository Manager, IDE, Build/CI tools).
  • While understanding your component inventory and identifying risk is important, ultimately its about eliminating exposure – this requires the ability to remediate or fix flaws quickly and early in the development process.
  • Managing the development lifecycle ensures delivery of trusted apps, but extending trust into your production environment is also important. Sonatype provides continuous monitoring and alerts for newly discovered vulnerabilities that impact your production apps.
  • Sonatype CLM is designed to be an Open Platform for integration of all metadata related to Open Source Software components and their use throughout the Software Lifecycle. With that in mind, Sonatype is developing a plugin for Sonar, enabling Sonar dashboard users to see valuable project information from CLM within the Sonar environment. This enhancement to the Sonatype CLM solution is expected in August.

There is a wealth of information available on our Website that introduces the CLM, including the CLM product tour, but here is a quick intro of the key CLM functional areas:

  • CLM Server: Provides a central facility for active risk assessment and management across development environments, applications and teams.
  • CLM for Development: Informs and governs the software supply chain by validating, authenticating, securely delivering, and monitoring component security, popularity and licensing information throughout the development lifecycle. It offers developer-friendly policy enforcement and early flaw detection and prevention.
  • CLM for Continuous Monitoring: Ensures the security and integrity of the components that make up critical applications by providing a complete component and application bill-of-materials inventory and a fast-path to discovering and fixing at-risk applications.

For more information, check out the press release or view the CLM product tour.

You can also see what our early customers have to say about the CLM.