<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

Improving Build Time of Java Builds on OpenShift

Improving Build Time of Java Builds on OpenShift

Since we released OpenShift 3 back in July 2015, one of the most common questions I get from developers is how to get better build time for Java based builds. In this post, I will guide you through the process of speeding up Java Maven based builds, and will explain other options that can be taken to the ones that I’ll be showing.

Nexus Repository 3.0: Most Frequently Asked Questions - Answered

Nexus Repository 3.0 has hit the streets and continues to spur insightful discussions on where we're headed with the platform. We recently held a one hour demonstration where we had off the chart community engagement with interactive QA. If you missed the demonstration, watch the recording here.

Did you wake up to an alert about the Java Deserialization vulnerability?

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.

Nexus 3: New Milestone Release

There are those of us that like to stay on the cutting edge of technology, fiddling with the latest and greatest, even if it means the experience might be a little rough around the edges.

How Big is a Billion? Open Source Growth Skyrockets

How Big is a Billion?

We all remember 1997’s Austin Powers movie with Dr. Evil trying to express a really big number:

RebelLabs Java Survey Results: Developers Love Nexus

Another informative and well-presented RebelLabs survey has hit the streets. Their 2014 Java Tools and Technologies Landscape report was just released and hats off to them for 'their better than ever response rate' and their good will for charity donations from each completed survey response. This year's survey covers more than a dozen different tool/technology segments within the Java industry. The survey was designed to gather general market data including usage and developer sentiment on different developer tools—such as IDEs, Application Servers, Build Tools, Web Frameworks, DBs, Continuous Integration tools, Repositories and more. In addition, respondents were asked which IDE, build tool and alternative JVM language they would rather use or learn more about, regardless of their current technology stack.