<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Brian Fox

Recent Posts by Brian Fox:

Vor Security brings OSS Index to Sonatype

Our data research team is always on the lookout for ways to expand Nexus Lifecycle’s coverage with new sources and feeds of data. A little under a year ago, we stumbled across OSS Index.net.

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

Did you wake up to an alert about the Java Deserialization vulnerability?

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.

Rubyists Rejoice - Nexus Supports RubyGem Repositories

We have done it again! Our Nexus development team has been busy this fall. With Nexus 2.9 in September, we introduced NuGet support for Nexus Open Source. In October Nexus 2.10 introduced npm support for all Nexus editions. And now with Nexus 2.11, we are adding Ruby Gem Repository support!

We are happy to announce that Nexus 2.11 adds full support for Ruby Gem repositories to all Nexus editions including Nexus Open Source, Nexus Professional, and Nexus Professional CLM Edition.

Christian Meier, active JRuby committer and creator of the JRuby Maven plugin has maintained an open source project to support Gem repositories for Nexus with us for quite a while. However this integration was not part of a default Nexus install and users had to build and install the plugins themselves. To improve the experience for everyone, we have worked together to bring this capability into the main Nexus Open Source project and therefore into the default install of any Nexus edition. On the way the Nexus development team and Christian improved the codebase and solidified the features. Christian’s deep experience with Ruby and gems, helped ensure that we create the features needed to make Gem repository support in Nexus viable for real-world production use.

The new Gem repository support brings the tried and tested concepts used for Maven, NuGet and NPM repositories of combining proxy and hosted repositories in a group and exposing them to the client tools for Ruby, gem and Bundler users.

Proxy,

First create a proxy repository of the main RubyGems repository. This will allow you to take advantage of the proxy features of Nexus. Any gem downloaded by a users will be cached in Nexus and subsequent requests will no longer have to reach out to rubygems.org. This will reduce your bandwidth needs and make any gem install on subsequent systems more reliable and much faster, since the gem will be local on your network already. And you will have access to all the gems available at RubyGems.org and potentially any other gem repository you want to access without relying on the performance of that upstream repository for each request.

Host,

Then create a hosted repository for you own gems that you wish to distribute within your organization. This allows you to push a gem to Nexus and all other users can just install the gem on their system without any need for further custom tooling. A simple ‘gem install GEMNAME’ will do.

Optionally you can also create another hosted repository to host other gems, maybe from a proprietary vendor or partner organization, that doesn’t use Nexus yet.

Group,

Finally to make it super simple for your users, you create a Gem repository group. It merges the proxy and hosted repositories and exposes all the contents via one simple URL. This URL stays the same even if more gems are added to the repositories or if more proxy repositories are added to the group. Its truly a fire and forget configuration that just works.

And Enjoy!

Your users now have configure gem on their machine to use Nexus as a source. And if they want to push to Nexus they can use the nexus gem we provide.

All you have to do is get new Nexus 2.11 - Open Source or Professional, install it and get it configured and you are up and running. It will be quick and easy with the documentation and the benefits will be immediate. If you are using Ruby, If you are a Ruby developer, give it a try and let us know how you like it.

Nexus 3.0 Technology Preview (Milestone 1 Release)

The Nexus development team at Sonatype is pleased to announce the release of the first milestone build (M1) of Nexus 3. This release is a technology preview covering the open source version, Nexus OSS, focused specifically on the new user interface. Nexus Pro will be covered in the upcoming M2 release.

Integrating with SonarQube

Many development organizations we work with have turned to SonarQube as a dashboard to visualize and measure their code quality.

HTTPS Support Launching Now!

It is live! Within an extremely short turnaround time the Sonatype Operations team has coordinated certificates and other setup with our excellent CDN provider Fastly and you can now all enjoy the content of the Central Repository via HTTPS/SSL.