Unless you develop code on an isolated island disconnected from the internet, it’s a safe bet that you use open source in your development cycle somewhere. Maybe you use an open source IDE, or maybe you deploy to Linux; in 2012, it is likely that you have some bits in your process covered by an OSS license. Despite the prevalence of OSS software, most organizations tend to follow the “Make it Up as You Go” process for identifying the licenses they are incorporating and distributing at the tail end the software development process.

In this post, I outline the “Make it Up as You Go” process and talk about some of the pitfalls you’ll encounter if this is a process you find yourself following. This is the case of a real company and how they went about assessing license exposure for a project that was already finished. Names have been omitted to protect the innocent. (Law and Order noise.)

Note: Many of the issues in this post could have been avoided with Nexus Professional 2.0′s Repository Health Check. This post talks about what it is like to take on the responsibility for auditing licenses manually. Nexus 2.0 can automate this process and perform this check continuously as dependencies are consumed from remote repositories. We also go out of our way to get licensing information from more than just the POM. This is the unique advantage of using Nexus, we’re not just looking at the POM.

Are you available to do a license audit?

That was the initial request. “But, I’m not a lawyer? Don’t you want a lawyer to do that?”, I asked.

Continue reading →

Nexus 2.0 turns your repository manager into the first line of defense against security vulnerabilities and the perfect platform to assess your exposure to open source licenses. With this release, your repository becomes more than just a place to file binary artifacts, it becomes a tool you can use to implement security policy and govern which open source licenses are used in your projects.

Nexus is in perfect position to be your OSS “sentry”: keeping watch over insecure artifacts as they are downloaded from remote repositories. Your builds and your developers request open source artifacts from Nexus all the time, and Nexus relays those requests to remote repositories downloading the open source artifacts your teams have come to depend on. While your company builds software and completes CI builds, your Nexus instance is assembling a local cache of all the artifacts used in your applications. You can scan this local proxy cache for problematic components with a feature we’ve named Repository Health Check.

Continue reading →

Sonatype is pleased to announce Nexus 2.0, a major update for Nexus including several major features and features that add a new layer of intelligence about the artifacts stored in your repositories.

Today is a big day in the history of Nexus. It has been six years since Nexus was created and the product hasn’t only come along way since then, it has set the standard for repository management. When we started, few people were thinking about running a local repository manager. These days, you’d have to work to find a serious development effort that doesn’t use one. Repository managers are essential.

Today Sonatype is redefining repository management, taking the core ideas of remote proxies and hosted repositories and adding a layer of intelligence. Everyone consumes open source. You couldn’t code anything worth coding without using something like Guice, Spring, or a hundred other essential libraries. Even though OSS is everywhere, very few organizations are paying attention to license and security information about those artifacts. We’re changing that today by making Insight integration a part of Nexus.

Repository Health Awareness

In Nexus 2.0 you have the ability to request a repository health check from the Sonatype Insight service. Our Insight service maintains a database of security vulnerabilities and open source licenses. We scan source distributions to identify inconsistencies between declared licenses and effective licenses, and our security database is constantly scanning for the latest vulnerabilities.

When you submit a repository for a Repository Health Check, the process is non-invasive and non-disruptive. Nexus sends non-identifiable hash codes for artifacts to the Insight service which then returns actionable quality, security, and licensing information about the open source components in your repositories. From the Insight summary report you can see your exposure to both security vulnerabilities and various open sources licenses.

Repositories are scanned for artifacts with known security issues producing summary reports showing how many Critical, Servere, and Moderate vulnerabilities are present in a given repository. Licensing reports generate a overall summary of your exposure to copyleft licenses like GPL, and liberal licenses such as the Apache license. Nexus Professional customers can drill down into a detailed reports identifying specific components with unacceptable licenses or security vulnerabilities.

These reports can be used to implement policies managing your exposure to security risks and tracking the array of open source licensed used by your development teams.

Availability Architecture – Smart Proxy

If you require more than one instance of Nexus, Nexus Professional 2.0 has an entirely new availability architecture making it easier to support distributed teams. If you run several instances, the smart proxy capability new in Nexus 2.0 connects two or more instances of Nexus in real-time. This adds an intelligent, distributed mechanism to keep repositories in sync. One instance of Nexus subscribes to messages from another receiving repository change events notifying it of newly published artifacts.

Before Nexus 2.0, distributed architectures had to resort to a workaround that affected performance, not found caches for snapshot repositories had to be set very low and reduced the benefit of having local caches. After Nexus 2.0, distributed teams can collaborate closely knowing that a Nexus smart proxy is keeping repositories in sync without sacrificing performance. When two Nexus instances and two repositories are related using Smart Proxy, one repository subscribes to events published by the other. This means that changes are communicated immediately.

Smart proxy makes Nexus aware of distributed deployment architectures. This makes Nexus 2.0 ready for the the largest, most mission critical Nexus installations.

.NET Package Repository

If you develop .NET applications, Nexus Professional 2.0 adds support for NuGet. NuGet is a Visual Studio extension that makes it easy to install and update open source libraries and tools. NuGet Gallery is the equivalent of the Central repository for .NET developers and with Nexus 2.0 you can proxy and cache artifacts from NuGet Gallery on your local Nexus instance.

In addition to proxying NuGet repositories in Nexus you can also publish your own .NET packages to hosted repositories. This new ability to use Nexus as a publishing end point for internal .NET applications means that your development teams can start to share libraries using a corporate NuGet repository.

Nexus adds full support for .NET, in addition to proxying and hosting repositories, Nexus 2.0’s .NET support enables you to group NuGet repositories. You can also create virtual NuGet repositories that scan other repositories for NuGet packages and expose them to the NuGet feed.

Nexus 2.0 provides first-class support for .NET artifacts, with this release you get a common place to manage artifacts for both .NET and Java development efforts.

Conclusion

There are other features in the 2.0 release that we’ll be talking about in the coming weeks, but these three major features: Repository Health Check, Smart Proxy, and NuGet support are important upgrades to the Nexus project. To find out more about how you can start your evaluation of Nexus Professional, go to http://sonatype.com/nexus.