Category Archives: Insight

Nexus Bolsters Component Management Capabilities


November 15, 2012 By Manfred Moser

When Maven Repository Managers (MRM) first appeared on developers’ radar, everyone using them immediately saw the benefits. Right off the bat, MRMs replaced cobbled together solutions like shared drives or local Maven repositories copied and exposed via http.

Since its release four years ago, Sonatype Nexus has grown to support many repository formats. And most users of build tools including Gradle, Leiningen, SBT and Ant/Ivy have started to realize the numerous benefits of using a repository manager.

Using an MRM has become accepted best practice for Maven users.

Continue reading

Improving Software Quality Using Component Lifecycle Management with Jenkins


October 24, 2012 By Emily Blades

A few weeks ago, a few of us joined the Jenkins community at the Jenkins User Conference 2012 in San Francisco. Our presentation “Improving Software Quality Using Component Lifecycle Management with Jenkins” given by Manfred Moser, was very well attended and there seemed to be a lot of interest. A video of our presentation has now been posted here and you can download the slides as well.

Have Jenkins (or Hudson) up and running, and want to give Insight for CI plugin a try? The plugin is available in the plugin center and easy to install and configure. — Just add a post build step and configure it to scan (e.g. your build output war file). Get the plugin.

Summary and component results are completely free and will give you a very good indication of the security and license issues (or better their absence) of your software. We’ve even got you covered for manual scans – have a try with Insight App Health Check.

Use Maven to Find Security Vulnerabilities and Viral Licenses in Applications


October 10, 2012 By Bentmann Benjamin

A few months ago, we launched Insight Application Health Check. Today, I’d like to announce another way to get started tracking licensing and security issues. In this post, I’m going to show you how to scan your project with nothing more than Maven and an existing project. You can get started with Insight without having to download a client or server. All you’ll need to do is run a simple plugin from the commandline.

To enable users to scan their applications, we provide an executable JAR with a graphical user interface. With this interface users are a few clicks away from results. But, even with this GUI, some users want to be able to use Insight’s Application Health Check from the command-line because sometimes “clicking” isn’t the most effective way to get something done. If you’re building your application using Apache Maven, you probably already have a terminal window open to invoke its build phases. So, while you’re in there, adding or updating some dependencies in your POM and repackaging your application, why not check whether this dependency update introduced some security vulnerability or license issue, especially if it’s as easy as adding another goal to your command line? Meet the Application Health Check Maven Plugin:

mvn package com.sonatype.insight:ahc:run -D ahc.email=my.name@mycompany.com

Continue reading

Insight For CI at the Jenkins User Conference


October 9, 2012 By Manfred Moser

Before JavaOne 2012 a few of us joined the Jenkins community at the Jenkins User Conference 2012 in San Francisco as Gold Sponsors. We had a great time talking to KK, Andrew and others as well as showcasing Insight For CI for Jenkins at the booth. The presentation about “Improving Software Quality Using Component Lifecycle Management with Jenkins” was very well attended and there seemed to be a lot of interest. In case you missed it you are however in luck …

Continue reading

That’s Billion with a B: Is Java Having an “Outlook” Moment?


September 26, 2012 By Tim O'Brien

I’m a broken record, I know, but every month that goes by we get more and more news that suggests that Java developers (and the companies that support Java) are slow to wake up to these threats.

You remember Outlook, maybe some of you are unlucky enough to still use Outlook, but for Microsoft, Outlook was a multi-year security embarrasment. From 1999 to around 2005 it felt like Outlook was having a security vulnerability every other minute. Back then, there were so many that, in technical circles, Outlook became something of a joke to anyone who valued security. In fact, you could make a compelling argument that Outlook’s multi-year security challenges were the weak point in the armor that provided an opening to Google’s GMail (and once you’ve decoupled from Outlook, why not try that Macbook Pro you’ve been eyeing).

If this trend in Java doesn’t stop – if we don’t stop experiencing billion-user, level 10 CVSS security exploits every other week in Java – all the inertia in the world won’t stop a shift to another language or another platform. Check out this news that just crossed the wire yesterday from Softpedia:

Continue reading