During our initial testing of Insight Application Health Check we found that real-world applications at large enterprise contained an average of 32 publicly known security vulnerabilities. Some of these security vulnerabilities were 3s and 4s on the 10 point CVSS scale, but many were 9s and 10s. These are bugs that are easily exploitable over the network which can be used to take ownership of applications and data.

So, think about it. If you develop Java applications, you’ve been relatively isolated from security concerns for years. Java has never been the top attack vector of hackers, and, because of this, developers have never really had to think about scanning artifacts for security issues. It looks like this is changing, and if you want to do something about it, it’s easy. Just run a free summary scan of your application with Insight App Health Check.

Here’s the IDG story, enjoy:

IDG News Service – (International) Java flaws increasingly targeted by attackers, researchers say. Java vulnerabilities are increasingly exploited by attackers to infect computers, and the problem could become worse if Oracle does not do more to secure the product and keep its installation base up to date, according to security researchers who will talk about Java-based attacks at the Black Hat USA 2012 security conference. Several years ago, the most targeted browser plug-ins were Flash Player and Adobe Reader. However, many current Web exploit toolkits rely heavily on Java exploits, said a security researcher with HP DVLabs, Hewlett-Packard’s vulnerability research division.

Source: http://www.computerworld.com/s/article/9229641/Java_flaws_increasingly_targeted_by_attackers_researchers_say

When we launched our Support portal as a part of our relaunch of the sonatype.org site we didn’t make a big deal out of it. We didn’t jump up and down and tell everyone to come and participate. Instead, we sat back and waited for Google to find us to see if the resource was going to be useful to users. Well, the results are in, without much promotion the resource is getting tens of thousands of visits a month and we’re getting good feedback. So…

This month we’ve decided to turn on the support features of Zendesk and start directing our users to our Support Portal. Both customers and non-customers can file support requests and anyone can comment or ask questions. Have at it.

You can file support requests….

If you have a question about anything related to Sonatype, whether it is our site, one of our books, a product, or anything that you want to ask us, we’d encourage you to: 1. Fire up a web browser, 2. Go to http://support.sonatype.com, and 3. Click on Submit a Request (as shown below). Fill out some details and we’ll make sure to get back to you with an answer.

For a better experience, I’d suggest you login to our Support Portal with your Sonatype credentials. If you do that, you will also be able to create new topics in our Knowledge Base.

How do I login to the Sonatype Support Portal?

To file a ticket, just go to http://support.sonatype.com, click on the login link in the upper right-hand corner of the interface and sign in. To sign in to the support portal you will need a username and password:

• If you are a customer, you have a username and password that you can use to login to this portal.
• If you have used our JIRA instance or our Wiki, use your Sonatype Credentials.
• If you don’t have a username and password, you can register for an account in our Sonatype JIRA instance.

Note: When you register for an account, please make sure to use your work email if you are going to file support requests. This will make it easier for us to identify support requests from customers. (The connection between the Zendesk login page and JIRA isn’t obvious yet, we’re still updating our site to make this more apparent.)

Commenting on Topics and Creating Topics in the Knowledge Base

One of the promises of using an open source project is that you benefit from the community of users. Because Sonatype is an open source company, we have a very health community of power users that feel enabled to answer questions and help other users with best practices. If you have a question? Or, if you want to start a new topic in our Knowledge Base registered users have the ability to do both.

Login following the instructions in this post and then visit our Knowledge Base. Our Knowledge Base is divided into four sections:

• Open Source: These topics cover the OSS projects that Sonatype participates in including Maven, Nexus, m2eclipse, Hudson, and Tycho.
• Products: These topics cover Sonatype professional projects such as Insight for CI and Nexus Professional.
• Development: While other topics are focused on users and administrators, these forums focus on plugin development and APIs that are not directly relevant to end-users. This is where you will find an increasing amount of information about our REST services and other, more advanced methods to customize the behavior of Sonatype’s products.
• Customer Topics When you visit our knowledge base as a customer you will also see a few additional topics covering our professional products.

Why Zendesk?

When we were evaluating options for our Support Portal, Rich Seddon, our Support Ninja, had a whole list of requirements. At the top of that list was integration with other services and also the ability to integrate with Single Sign-on (specifically Atlassian’s Crowd). Zendesk’s integrating features are first-class and this is what allows us to make sure that your support request is answered in a timely manner and routed to just the right person immediately. Integrating our support portal is essential, we want to make sure that everyone who may be in contact with a customer has all the information they need to support a customer directly.

In addition to this emphasis on integration, Zendesk also exposes much of the site as an API. We make heavy use of these APIs on the http://www.sonatype.org site. Every time browse the Nexus section of the sonatype.org site you are making use of the Zendesk APIs.

But, the most important feature that drove the selection of Zendesk is user experience. Please tell us if you disagree (file a support request), but we think that Zendesk is a great interface for users, and that’s what we’re focused on: you.

If there is someone you would like to nominate for the community spotlight, please don’t hesitate to contact us at communityspotlight@sonatype.com. Thank you!

Manfred Moser – Kicking Apps and Taking Names

We have had the pleasure of working directly with Manfred Moser for the better part of a year and have been familiar with his work for much longer. Given Manfred’s constant and continuous work with the community we are sure many of you know him but for those that don’t, here is a little bit of background on Manfred.

Manfred has been professionally developing software in Java since 2003 and is a self-proclaimed open source fanatic, as well as an Android application developer, consultant, author and speaker. He has a long history of developing software in Internet, enterprise and mobile spaces. He is now working as an Android application developer and consultant with his own company, simpligility technologies.

simpligility technologies brings simplicity and agility to software development, processes, products and customers. With Manfred’s engineering background, teaching experience and passion for tools and infrastructure, he loves helping and mentoring other developers and development teams. He is able to understand complex requirements, business processes and software systems and cut through all the distractions to the core purpose and aim of an application. With this background simpligility offers a myriad of helpful consulting services.

We have been very lucky to work with Manfred on a number of projects. He is a core committer to the Android Maven Plugin and has co-authored our Sonatype book Maven: The Complete Reference, where he recently revamped the Maven Android chapter.  He is a Hudson committer and co-authored the new Hudson Book with Tim O’Brien.  Manfred is also a core contributor to our brand new Nexus Best Practices training course materials.

Manfred is the founder of the Vancouver Island Java User Group in Victoria, BC and in addition to presenting at java user group meetings, he has also presented at a number of conferences around the world. His next appearance will be at AnDevCon II in San Francisco this week from November 6 to 9, 2011.  If you plan to be there, we highly recommend popping into at least one of his sessions. The two sessions Manfred will be leading are: Taking Advantage of Apache Maven for Your Android Builds and Testing Android Apps – Going from Zero to Hero.

You can follow Manfred on twitter @simpligility or read the simpligility blog here.

We would like to thank Manfred for all his hard work and contributions! Thank you Manfred!

At Sonatype, we want to make synchronizing and publishing your artifacts to Central easier and to improve the quality of repository metadata for everyone at the same time. To facilitate this, we offer a dedicated instance of Sonatype Pro for Nexus at http://oss.sonatype.org specifically to host the artifacts of open source projects. In this post, I talk about the process of creating a repository for your open source projects and publishing artifacts so that they will be available from the Central Repository.

This service has been available since 2009 and includes many projects such as Plexus, Jetty, Google Guice, Spring and Ehcache (Greg wrote about his experience with migrating to oss.sonatype.org). We have tooling in place to make it easy for us to process a larger set of requests, so we invite everyone to use this resource. As of October, 2011, we have over 1,500 projects using this repository on a daily basis.

To get the process started, go here. We’ll setup a release and snapshot repository for your project, along with the appropriate configuration to allow you to use the staging features for your releases. If you have an existing repository somewhere, we can migrate that for you too. We’ll even help you add artifacts to Central that you use, but don’t necessarily own — assuming of course that it doesn’t violate the projects license.

The system allows customizable rules to be run during the staging process, which allows us to automatically check things like valid pgp signatures and correct POM parsing. This will ensure that your users have the best experience possible when using your artifacts, and relieve some of the manual validation on your side — a win for everyone.

On the technical details, this instance gets its network connection via Contegix‘s high availability network, the same one running Central, Codehaus.org and Atlassian.com. New Relic has donated monitoring services to help us monitor and tune this instance of Nexus. Since OSSRH is hosted on the same infrastructure as the Central Repository, we are able to frequently synchronize the repositories.

Next time you need to add a project to the Central Repository, you’ll know how.

Java.net projects such as GlassFish and others are now included in the Central Repository, making it easier than ever for you to locate and download Java.net components without the workarounds or advanced configurations previously required. You’ll be able to leverage Java.net project assets to deliver applications faster, at a higher quality, and with less risk.

The Sonatype team worked closely with Oracle during the past year to evaluate existing Java.net legacy repositories, clean-up metadata and unite disparate content into a single site.   Java.net project owners can now easily automate and control synchronization of their project artifacts to the Central Repository through a hosted version of Sonatype Pro™ for Nexus donated by Sonatype to the project.

Read more about this exciting move in our press release and this article in Dr. Dobbs.

See what components are used, which versions, and when updates are available

We want to make component based development as easy as possible by providing you the tools to choose the right components from the beginning to speed development, improve quality, and reduce costly rework. This plugin, the first of a series of development tools, helps you tame the issues typically associated with utilizing open source Java components, including:

• Determining when new component versions are available and making informed update decisions
• Understanding what versions of each component are used in your project
• Identifying where specific components are used
• Updating components throughout your project

The plugin is build tool agnostic, and so works with all Java projects in general (Java, PDE, Maven, etc.).

This is just the beginning. We’ll be adding features to help you choose components that meet your security, quality, and licensing standards by providing useful information about each component right in the IDE.  For example, we’ll alert you when a component, or one of its dependencies has known security vulnerabilities. You’ll also be able to tell how each component or dependency is licensed without having to hunt through the code yourself.

So tame your dependencies today and get the Sonatype Insight Plugin for Eclipse.

Since 2007, Central has been hosted at Contegix in a shared rack with 100mbps data connections to the Internet. We’ve worked with Contegix to acquire a new dedicated switch that will have a 1gb connection directly to their core routers. The routing to the switches is done at the Layer 3 (IP) level and this means we are moving to a new dedicated ip subnet:

• 207.223.241.64/27 (207.223.241.65 – 207.223.241.95)

In addition to the network upgrade, we’ve added an entirely new tool to our belts: Dyn (formerly DynDNS.com) is partnering with us to provide active monitoring, failover and global load balancing along with enterprise DNS services for maven.org via their DynECT Managed DNS solution. DNS resolution time should be noticeably faster as Dyn has DNS servers all around the world.

Availability will be improved as we have added geographic diversity with servers located in both the US and the UK. The DynECT Active monitoring service monitors http://repo1.maven.org/maven2 every 60 seconds and if any timeouts or errors are detected, the system will instantly switch over to alternate Central servers.

Although traffic to Central from Europe represents nearly 50% of overall load, the UK servers are serving less than 2%. This means most of our European users aren’t using the http://uk.maven.org/maven2 urls directly. DynECT has a load balancing solution, Global Server Load Balancer (GSLB), that will transparently direct traffic to our servers based on the user’s location. While our bandwidth costs are higher in the UK, the enhanced experience for almost half of our users is well worth the investment.

Firewall Updates May Be Required

These changes that provide the community benefit of increased stability, uptime and geographic load balancing required us to change our IP addressing such that we can no longer offer a single, static IP address for Central.

If your organization utilizes firewall rules with specific IPs, please allow this list so that you won’t be affected by any failover or balancing that may occur:

• 207.223.241.90 : Current US primary
• 207.223.241.91 : Current US staging
• 207.223.241.92 : Current US standby
• 207.223.241.64/27 (207.223.241.65 – 207.223.241.95) Future US Subnet
• 89.167.251.252: UK Primary
• 89.167.251.253: UK standby
• 89.167.251.249: UK standby

We anticipate the cutover to the new switch and IP addresses to occur between August 1, 2011 and August 5th, 2011. Shortly after that, we will slowly start to roll out the global load balancing. As long as you have allowed the IPs listed above and use the http://repo1.maven.org/maven2 url in your systems, the only things you should notice are faster resolution and download times.

Thanks again to Contegix and Dyn for helping us to provide enterprise level services to the development community.

• Search functionality that allows one to quickly track down artifacts and their dependency details when trying to resolve build problems.
• Browse functionality that aids in discovery of new artifacts to use in projects.

In the intervening months, Sonatype has focused its efforts on improving the usability of the Maven Central user interface in the hopes of making it the first place users look when trying to find an artifact.  Recently, users who have reaped the benefits of using the Maven Central website have asked about interacting programmatically with the search functionality.

If you pay attention to your web browser’s address bar when conducting searches on Maven Central, you can already see that a REST-style API exists.  For example, searching for “guice” from the main search box results in the following URL being generated (the following URL’s are NOT URL-encoded for the sake of readability):

• http://search.maven.org/#search|ga|1|guice

Translating the search request into English, that URL requests a basic search for any artifact (irrespective of version) containing the word “guice” in either the groupId or artifactId, returning only the first page of results.  Each row of the results shows the latest version of the artifact and the date the artifact was last updated as well as any classifiers associated with the artifact.

You can build up the complete library of search requests simply by paying attention to your web browser’s address field as you use the Maven Central website.  For the sake of convenience, we’ve collected all the URLs that make up Maven Central’s search API in a document available here.

Sadly, these URL’s are still only useful when requesting them via web browser.  They are links that can be bookmarked or e-mailed, but they do NOT work when using a non-browser agent like wget or curl.  The Maven Central user interface is essentially a browser-based application that uses Javascript to make asynchronous requests to yet another set of URL’s.  Once you make a request that looks like the URL above, the browser fires off the actual request to another Maven Central URL responsible for conducting the search and returning results that are formatted by the browser.

The sample request above, when converted to an actual Maven Central search request, looks like this:

• http://search.maven.org/solrsearch/select?q=guice&rows=20&wt=json

The actual text of your query goes in the appropriately named “q” parameter, the “rows” parameter restricts the results to a smaller number than the full result set, and the “wt” parameter can be either “xml” or “json,” depending on how your application prefers to handle results.

Some useful examples appear below.  Again, please refer to the API Guide for a complete listing:

• Fully-qualified classname search – http://search.maven.org/solrsearch/select?q=fc:”org.specs.runner.JUnit”&rows=20&wt=json
• GroupId and artifactId search that returns all available artifact versions – http://search.maven.org/solrsearch/select?q=g:”org.apache.maven.indexer”+AND+a:”maven-indexer”&rows=20&core=gav
• SHA1 search (you would need to pre-calculate the SHA1 before sending the request to Maven Central) – http://search.maven.org/solrsearch/select?q=1:”2d3c16092663da9041b171b8d3627cbafa8f0cb1″&rows=20&wt=json

In an upcoming post, I’ll describe the architecture behind Maven Central that makes all this functionality possible.

This post outlines some of the new features available in all 1.9 releases of both Nexus Professional and Nexus Open Source. This release has a lot of important, under-the-hood changes – including a number of changes to the core infrastructure of Nexus to increase Maven 3 compatibility and to incorporate open source libraries for repository interaction (Aether and Maven Indexer). In addition to a wide array of fixes and features in Nexus Open Source, you can now use Nexus Professional to analyze Maven Dependencies.

• Download Nexus Professional 1.9.1
• Download Nexus Open Source 1.9.1

Changes in Nexus Professional 1.9.1

Nexus Professional has the following key benefits.  For a complete list of all features added and bugs fixed in Nexus Professional 1.9.1, see the official release notes (note: release notes require a log-in).

• Moved the Custom Metadata Plugin to optional plugins – This Custom Metadata plugin is now shipped as an optional dependency. If you are using the Custom Metadata plugin you will need to copy this plugin from the optional dependencies directory to the plugins directory. Nexus will then start up this plugin the next time it is restarted.
• The New Maven Module Dependency Report – Nexus Professional adds a helpful report for people browsing the repository. For the first time, you can click on an artifact and see a report of Maven dependencies. From this report you can click through to search for dependencies.

Changes in Nexus Open Source

Nexus Open Source 1.9.1 contains the following new features and updated capabilities. We’ve summarized some of the major features and bug fixes for your convenience. If you are looking for more details about a particular feature or fix, read the full release notes for a comprehensive list of features added and bugs fixed.

• New Nexus Archetype Plugin - Nexus 1.9.1 will now add any Maven Archetypes you deploy to your own repositories to the archetype catalog. Once an archetype is available in the archetype catalog, you can then access archetypes using tools like m2eclipse, which reference the archetype catalog when creating a new project.
• Uses the Maven Indexer - Sonatype has successfully completed the donation of the Nexus Indexer to the Apache Software Foundation, and we are integrating this newly donated “Maven Indexer” in this release of Nexus. For more information, read this post.
• Improvements to the Roles and Permissions Interface - The Nexus team spend a considerable amount of time trying to simplify the Roles and Permissions interface based on user feedback. We’ve tried to make it easier to understand at first glance, and we’re also tried to reduce the amount of work necessary to make changes to roles and permissions.
• Integrated Aether - Aether is a new open source library designed to capture best practices for retrieving information from Maven repositories. It provides a clean interface and manages fetching both metadata and artifacts. This version of Nexus incorporates Aether and replaces Mercury. Integrating Aether has also solved a number of minor issues involving Maven metadata and compatibility with Maven 3.
• Switched to Java 6 - Nexus has upgraded to Java 6.
• Nexus Upgraded Security from JSecurity to Apache Shiro - As an end-user you shouldn’t notice many changes in the interface to support this migration, but if you are developing custom security realms for Nexus, this post describes some of the changes you need to make to support the move to Shiro. Note: After this upgrade, both first name and last name are required fields for a user. If you have an existing user that only have one name (“Administrator”), you will need to supply a first and last name for this user if you ever edit this user through Nexus UI.
• Added robots.txt to bundle to stop public repos from getting crawled
• Improved Reindexing Performance - Reindexing performance has been considerably improved, achieving a nearly 2x speed up for certain repositories.
• Switched to the Affero General Public License - Nexus Open Source is now covered under the Affero General Public License. For more information about this switch see this post.
• Added a Start-up Script for 64-bit windows Platforms – If you are running Nexus on a 64-bit Window platform, you can now start Nexus with a 64-bit Windows JSW startup wrapper.

For information on upgrading Nexus, click here.

EclipseCon is the conference for anyone involved in Eclipse. As a proud member of the Eclipse Foundation, Sonatype is looking forward to another year of great talks, tutorials and BOF’s. We will be hosting a number of extended workshops as well as talks in the Cypress Room all day on Tuesday, March 22, 2011.

Sonatype founder Jason van Zyl will be giving a presentation on Next Generation Development Infrastructure with Maven, m2eclipse, Nexus & Hudson.

Presentation details:

All development organizations eventually converge on a set of tools to reduce costs, lower onboarding time, and leverage knowledge in strong communities to create standard processes. To this end we see in many organizations the emergence of a standard development stack consisting of Maven, m2eclipse, Nexus & Hudson. In this talk, Jason van Zyl, Founder of the Apache Maven project, will discuss the future of Maven and specifically Maven 3.x, the rapidly approaching m2eclipse 1.0 release, the recent Nexus 1.9 release and roadmap, and emerging tools such as Maven Shell and Polyglot Maven. Sonatype itself leverages this stack on a daily basis and this discussion will focus not only on the tools individually, but how they can work together to create a best practices approach to building and delivering your software in your organization.

Event details:

• Date: March 21-24, 2011
• Location: Hyatt Regency Santa Clara, CA
• Event website: http://www.eclipsecon.org/2011/

Stay tuned to the Sonatype blog for updates on Sonatype’s talks and presentations at EclipseCon 2011. And for the latest news and updates from the Sonatype team, follow us on Twitter @SonatypeCM.