Heartbleed has put the security community on notice: it is time to take a harder look at the security status of open source components and frameworks. After doing a little industry research on downloads from the (Maven) Central Repository, I’m sitting here with my jaw hanging open. Over 46 million Java-based open source components containing known vulnerabilities were downloaded from the Central Repository in 2013*.
Code snippet scanning is a common question we get from prospects. We typically try to dig at why the prospect actually thinks they need snippet matching. We think this comes from mis-informed demand. To create conversation with the masses on this topic, I’ve shared my perspective so you have a complete picture of the risk and cost of code snippet scanning.
Sonatype Nexus Security Advisory Date: January 14, 2014 Affected Versions: Nexus OSS/Pro versions prior to and including 2.7.0-06 Summary: A critical security vulnerability has been discovered by Sonatype in Nexus requiring immediate action. The vulnerability makes use of an execution path in an open source library that we have now (with the available patch) added […]
We know how components from the Central Repository have become critical to your development efforts. We also know that you need to trust those components. Part of that trust is knowing that hackers don’t have visibility into the components you download or that they compromise components using a man-in-the middle or Cross Build Injection (XBI) […]
Central is a critical resource for developers. If you develop Java applications and use Maven, Gradle, or Ivy, Central is what has made it easy for you to consume libraries using dependency declarations in your builds. For more than a decade, Central has been a solid, reliable presence supporting the community and making it easier […]
Surely, you didn’t just read a blog title that mentions beer on the Sonatype site? Oh Yes. Yes you did. In honor of St. Patrick’s Day, we’ve decided to give you some tips on how to make sure your organization is compliant with an important (and entirely real) OSS license – “Beerware”. Beerware is the […]
Here’s a license for a library you probably use right now. Notice the clause I circled in an alarmist shade of red: If you saw this license flagged in a Nexus RHC report it might make you stop, chuckle a bit. “Right, don’t be Evil clause. Ok, whatever.” But, remember, you are a developer, not […]
Sonatype is pleased to announce Nexus 2.0, a major update for Nexus including several major features and features that add a new layer of intelligence about the artifacts stored in your repositories. Today is a big day in the history of Nexus. It has been six years since Nexus was created and the product hasn’t […]
Sonatype makes it easy to add your projects to the Central Repository with a free, public hosting service called OSSRH. We first blogged about this back in 2009, but given the growth in the community, we thought some of you may not have seen that post, so we decided to update it.
We’ve made several improvements to the Central Repository (Maven Central) to support the incredible growth in both the number of components and the number of developers using it. If you use specific IPs to allow access to Central, you’ll need to update your firewall as described below. Since 2007, Central has been hosted at Contegix […]