Category Archives: Insight

Insight Application Health Check: Scan Your Application for Security and Licensing Issues in Minutes


July 25, 2012 By Sonatype

Insight Application Health Check: Know What's In Your App

We’re releasing a product today that is something of a break from our other products: Nexus Professional, Insight for CI. First, it’s a service that anyone can use, it isn’t aimed at developers who use Maven or Nexus or any build tool whatsoever. Second, there’s no download or setup process for this product that takes longer than 60 seconds. Anyone with an email address, Java, and access to an application’s binaries can run an Insight scan in minutes, and we’ll send you a free summary report covering licensing and security issues that may be present in your application.

Why would you do this? Simple, it’s the difference between knowing about potential license conflicts and security issues and not. Today’s applications are seldom developed from scratch, instead they are assembled from a collection of high-quality, open source components. Your application is likely a collection of components and libraries that are covered under an array of different licenses, and some of these licenses expose you to a set of obligations if you distribute software. In addition to license obligations, the components are also associated with a database of known security vulnerabilities.

Running the Insight Application Health Check scan to generate a summary report is free, and once you run this service you’ll know if your application has potential licensing and security issues. You don’t have to configure a repository manager to scan, and you don’t have to setup Jenkins or Hudson jobs to scan a project’s build. We’ve made it very straightforward to get started, and here’s a video summary of the process:

All you have to do to get a free summary report with information about your application’s security and licensing issues is the following:

  1. Open up a web brower.
  2. Go to this web page.
  3. Agree to the EULA, and download the Insight Application Health Check scanner.
  4. Double-click on the Self-executing JAR.
  5. Fill in your email address and select an archive that contains your application alongside any of its dependencies.
  6. Click on Start Scan.

That’s it. If it takes you longer than 2-3 minutes, I’d be surprised. Once you click on Start Scan, the Insight Application Health Check scanner scans your application’s files and gathers a fingerprint for each file. It sends this fingerprint (and nothing else) back to the Insight service, and you’ll receive an Insight Application Health Check report in a few minutes.

The sample report is enough to get started, here are the details. What you can see in this report is a high level summary of the components Insight found in your application, the severity of any security issues present, and the mix of licenses in your application. If you see something that captures your interest, you can then purchase a detailed report for $99 (a limited time discount off of the regular price for this report).

These detailed reports don’t just identify where the security and licensing problems are. They go a step further than that. Every artifact that presents an issue is summarized and a graphical overview of the various versions of that artifact is presented to help you make an informed decision to address these issues. If you want more information about the detailed report, watch this video:

Join Us: Sonatype Meetup in NYC – Wednesday, July 25, 2012


July 12, 2012 By Emily Blades

Sonatype Meetup in NYC

We’re planning a Sonatype Meetup in New York City on Wednesday, July 25 at 6PM. Jason will be giving an informal talk on the next phase of Apache Maven-based development and how Sonatype is tackling all the hard problems in component lifecycle management. After that, he’ll be giving a sneak peek of our product roadmap for both Nexus and Insight. He’ll be hanging out afterwards to talk shop over drinks and appetizers.

We’ve booked a great space at The Eventi Hotel (851 Avenue of the Americas), but space is limited. If you are in the New York area and interested in attending, please register by completing this form and we will save you a space and send you more details. Hope you can make it!

Reserve Your Seat

New Java Exploit To Debut In BlackHole Exploit Kits


July 10, 2012 By The Vigilant Application Owner

While this appeared on our Security feed last week, it’s important enough to reblog this as it affects just about everyone who is running Nexus. If you haven’t yet applied the latest Java patch from Oracle, it’s time to do so…because it is starting to show up in rootkits. While our Insight product isn’t specifically designed to intercept JVM-level vulnerabilities, it will catch insecure libraries in your applications, learn more about Insight today.

Krebs on Security – (International) New Java exploit to debut in BlackHole exploit kits. Malicious computer code that leverages a newly-patched security flaw in Oracle’s Java software was set to be deployed late the week of July 2 to cyber criminal operations powered by the BlackHole exploit pack. The attack may be related to an exploit published for CVE-2012-1723 in mid-June. However, according to the current vendor of the BlackHole exploit pack, the exact exploit for this vulnerability has only been shared and used privately to date. The BlackHole author said the new Java attack was to be included in a software update made available July 8 to all paying and licensed users of BlackHole.

Source: http://krebsonsecurity.com/2012/07/new-java-exploit-to-debut-in-blackhole-exploit-kits/

Component Lifecycle Management with your Apache Maven Infrastructure


July 5, 2012 By Jason van Zyl

The way software is being developed has changed over the last ten years, it has shifted from companies developing the vast majority of their own software to a software development approach that depends on open source components that are freely available. Today, the vast majority (upwards of 90%) of Java-based applications are assembled from components. Very little of these applications consist of code that companies build internally. The extent to which open source components are being used is not widely known within companies that have thousands of applications and hundreds of thousands of downloads from the Central repository.

In last week’s webinar I discussed the trends we’ve identified and the tools we’ve developed to address this challenge. Tracking down where components come from, managing your application to account for changes in components, and dealing with security and licensing issues that relate to your application’s dependencies is our focus. If you develop software using open source components, here’s a video of my webinar. If you are interested in learning more about our Insight products and starting to keep track of the components you consume, go to http://www.sonatype.com/insight.

Webinar Replay Now Available: Insight for CI Demo


May 31, 2012 By Emily Blades

A big thanks to all of you who registered and attended our Insight for CI Demo last week. We had a great turnout and a lot of fantastic questions! If you didn’t have a chance to register, that doesn’t mean you have to miss out. The replay is now available.

Request the webinar recording here.

Ready to try Insight for CI for yourself? Let us help you get started.

Thank you!