<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Nexus Repository Manager 3.5: Yum Proxy Support Now Available

Sonatype is pleased to announce the availability of Nexus Repository 3.5.0 OSS and Pro. This release adds support for Yum proxy repositories, and enhances the 2.x to 3.x upgrade process to support Firewall-enabled repositories.

Nexus 3.3 Delivers Free Next-Gen Repository Health Check and Git LFS Support

Sonatype is excited to announce the immediate availability of Nexus Repository 3.3 in OSS and Pro editions.  What’s in this latest release?  We’re glad you asked:

 

Next-Generation Repository Health Check

We first introduced Repository Health Check (RHC) in 2012.  Now, every day we analyze over 80,000 repositories and 50 million components for our Nexus users.

Setting up a Secure, Private Nexus Repository

What an exciting first post, I’m sure. But it’s what I’m working on, I suppose.

A few things, first:

  • We’re using an LDAP server to identify team members.
  • LDAP and Nexus are on different domains (though, possibly, the same machine).
  • I’m not a system admin, so this is likely going to be painful.

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

Using Nexus 3 as Your Repository – Part 3: Docker Images

This is the third and last part of a series of posts on Nexus 3 and how to use it as repository for several technologies. (Part 1. Part 2.)

Using Nexus 3 as Your Repository – Part 2: npm Packages

This is the second part of a series of posts on Nexus 3 and how to use it as repository for several technologies. Also available is “Part 1, Maven Artifacts” by Rafael Eyng.

DevSecOps: Better Software, Faster

“The big problems are where people don't realize they have one in the first place.” - W. Edwards Deming, patron saint of DevOps.