Last week I wrote about how important it is to pay attention to the security of the OSS projects you depend on. This isn’t just a one-time responsibility when you are trying to choose which component to depend on, this is an ongoing requirement. Even if you use the most secure OSS projects out there, if you don’t pay attention to security updates, it is all for nothing. Staying secure requires constant vigilance.
In this post, I’m going to talk about OSS project security. Since we’ve been paying a lot of attention to OSS security, I wanted to lay out some guidelines for evaluating an OSS project’s security. There’s a wide range of approaches to security from OSS projects: on one end of the spectrum, a one-person OSS project on Github won’t have a formal approach to security; on the other end of the spectrum, a project that is at the center of a billion dollar commercial ecosystem (like Apache httpd or Tomcat) will have a dedicated security team.
Sonatype recently released a free beta version of the Sonatype Insight Plugin for Eclipse that allows you to more efficiently manage and select Java components. It is part of the Sonatype Insight product line that helps organizations take advantage of open source-based development while improving quality and reducing security and licensing risks.
See what components are used, which versions, and when updates are available
We want to make component based development as easy as possible by providing you the tools to choose the right components from the beginning to speed development, improve quality, and reduce costly rework. This plugin, the first of a series of development tools, helps you tame the issues typically associated with utilizing open source Java components, including:
Determining when new component versions are available and making informed update decisions
Understanding what versions of each component are used in your project
Identifying where specific components are used
Updating components throughout your project
The plugin is build tool agnostic, and so works with all Java projects in general (Java, PDE, Maven, etc.).
This is just the beginning. We’ll be adding features to help you choose components that meet your security, quality, and licensing standards by providing useful information about each component right in the IDE. For example, we’ll alert you when a component, or one of its dependencies has known security vulnerabilities. You’ll also be able to tell how each component or dependency is licensed without having to hunt through the code yourself.
The Maven 3: The Future of Enterprise Java Build Infrastructure presentation is now available for viewing. This presentation was given at EclipseCon 2011 by Sonatype founder Jason van Zyl.
More on this presentation:
Maven 3 is the best version of Maven yet. Maven 3 is faster, has been optimized for IDE use, and is fully backward compatible with Maven 2. One of the big focuses of Maven 3 is to provide a more reliable, more stable and better performing build tool. Faster Maven builds lead to higher developer productivity in your organization.
As part of the Eclipse Live series of webinars, Sonatype software developer Pascal Rapicault is giving a presentation on Tycho: Building Eclipse plugins with Maven.
About the webinar:
Tycho is a set of Maven plugins and extensions for building Eclipse plugins and OSGI bundles with Maven. Eclipse plugins and OSGI bundles have their own metadata for expressing dependencies, source folder locations, etc. that are normally found in a Maven POM. Tycho uses native metadata for Eclipse plugins and OSGi bundles and uses the POM to configure and drive the build. Tycho supports bundles, fragments, features, update site projects and RCP applications. Tycho also knows how to run JUnit test plugins using OSGi runtime and there is also support for sharing build results using Maven artifact repositories.
Join this webinar to get an overview of the Tycho project and to learn what plans the project has for the future.
Date: May 3, 2011
Time: 9:00 am PST / 12:00 pm EST / 4:00 pm UTC / 6:00 pm CET
As mentioned earlier on the Sonatype blog, we’re taking some of our most popular sessions from EclipseCon 2011, and releasing them to the wider developer community. The second installment from EclipseCon 2011 is m2eclipse: The collaboration of the Maven & Eclipse Platforms.
Software developer Igor Fedorenko details the new features and changes to m2eclipse 1.0, including pom.xml editor enhancements and reworked build lifecycle mapping.