Author Archives: Brian Fox

About Brian Fox

Vice President of Engineering, Sonatype Inc.

Integrating with SonarQube


August 27, 2014 By
Brian Fox
sonar

Customers using CLM want to surface known security vulnerabilities and license risk in the same place developers or executives already go to assess the overall quality of their application. To support this growing interest from our customers, we are introducing our next important milestone: Sonatype CLM’s integration with SonarQube.

Continue reading...

Categories: Uncategorized

SSL Connectivity for all Central Repository users Underway


July 30, 2014 By
Brian Fox
SSL Security

We’ve had quite a bit of public scrutiny recently over how we’ve chosen to provide SSL access to Central for the last two years. At Sonatype, we have a history of investments in the Maven Central community, all of which are focused on improving the quality of the contents, increasing reliability and performance of delivery, and yes, even strengthening security which is often not popular (how many gripes can you find about why we require PGP signatures on artifacts?)

Continue reading...

Categories: Uncategorized

Two AppSec Questions Always Asked


July 24, 2014 By
Brian Fox
CLM Dashboard

While Repository Health Checks are valuable, we just released something even better: the CLM 1.11 Dashboard. First of all, it helps you answer the first two critical open source vulnerability questions: did we ever use that and where is it? And, you can find out the answers to those questions in about three seconds.

Continue reading...

Categories: Uncategorized

4 Open Source Components You Need to Update Right Now


May 7, 2014 By
Brian Fox
Component Vulnerability Stats

Heartbleed has put the security community on notice: it is time to take a harder look at the security status of open source components and frameworks. After doing a little industry research on downloads from the (Maven) Central Repository, I’m sitting here with my jaw hanging open. Over 46 million Java-based open source components containing known vulnerabilities were downloaded from the Central Repository in 2013*.

Continue reading...

Categories: Uncategorized

Sonatype Nexus Security Advisory


January 16, 2014 By
Brian Fox
Security Advisory

Sonatype Nexus Security Advisory Date: January 14, 2014 Affected Versions: Nexus OSS/Pro versions prior to and including 2.7.0-06 Summary: A critical security vulnerability has been discovered by Sonatype in Nexus requiring immediate action. The vulnerability makes use of an execution path in an open source library that we have now (with the available patch) added […]

Continue reading...

Categories: Uncategorized

Now Available: SSL Connectivity to Central


October 25, 2012 By
Brian Fox

UPDATE:  Free SSL Connectivity to Central for All — Sonatype’s project to make SSL the default connectivity option for all Central users is underway and will be complete by August 12th, 2014 (if not sooner).  For details, please visit: http://www.sonatype.com/clm/secure-access-to-central. We know how components from the Central Repository have become critical to your development efforts. […]

Continue reading...

Categories: Uncategorized