Sonatype Introduces Next Generation Dependency Management | Press Release

blog-logo Sonatype Blog

Why Nexus Rocketed Beyond 60,000 Installs

November 05, 2015 By Derek Weeks

Another BIG Milestone

Active Nexus repository manager instances have grown to another record high. As of today, we surpassed the milestone of 60,000 active Nexus installations! And, YOU, our user community made it happen.

Untitled

With Nexus at the heart of software supply chains and everything continuous, we are excited about all of the great work being done across our user community. And while we continue to expand Nexus repository managers to cover more component and repository formats (recently adding Docker registry support to our growing list), we are thrilled to see our community contribute in new and innovative ways, including: Chef, CA, Microsoft, Cloudbees, Puppet, Rundeck, Gradle, and Google.

There are many great new enhancements coming to the Nexus portfolio in the months ahead, including Nexus Firewall (coming very soon...catch the webinar here).

While we are very excited about this growth and new products to come, we have more important news about your current Nexus repository managers to share with you, and I urge you to read on. For any readers with a keen interest in the installed base growth numbers, we’ll share more at the end of this blog.

Catch Defects Early, Build Quality In

I am a huge fan of Dave Farley and Jez Humble’s book, Continuous Delivery. The techniques described in their book repeatedly echo Edward Deming’s motto of “build quality in”. You see, Deming understood that the earlier you catch defects, the cheaper they are to fix. And to paraphrase Dave and Jez, “Defects are fixed most cheaply if they are never checked into version control [or your repository manager] in the first place”.

Once defects are found, the next step is to fix them. And the more disciplined a development team is at fixing a defect, the more time they will have to spend on innovation as less unscheduled, unplanned work is required.

Is Your Well Clean?

Repository Health Check is a feature of all Nexus repository managers specifically built to identify defects early. Each day, development, operations, and architect leads can view an inventory of defective components in their repositories. These defects range from known security vulnerabilities, to risky license types, to vastly outdated versions of components available to development teams and their build tools. Sonatype runs Repository Health Check reports across more than 15,000 Nexus installations daily -- analyzing over 30,000,000 components for known defects.

Screen Shot 2015-11-04 at 2.05.05 PM

You see, repository managers are often the first point of entry for third-party open source and proprietary components requested by developers and common tools like Maven, Jenkins, Gradle, etc. By detecting defects early, these teams can begin identifying alternative components or component versions on which to standardize.

Just how many defects are we talking about? We recently analyzed thousands of repository managers that contained more than 500 components and found a high number of defective components being electively downloaded. Over a recent three month period, an average of nearly 70 new components with known security defects (i.e., assigned CVEs) flowed into the each repository. That is about one each workday for each repo. If you only include those with a CVSS score of 5 or greater (Heartbleed was a CVSS 5) – downloads into each repo averaged 16 per month.

The reality is: if you are using an Archiva, Artifactory, or Nexus repository manager, you likely have a high number of defective and vulnerable components flowing into your software development lifecycle. If you are using the commercial version of Nexus, be sure to turn on your Repository Health Check to have the visibility to find and replace defective components.

Better Decisions, Faster Fixes

While defective components are likely hosted in your repository manager today, if you use Nexus Repository (commercial version), there is also an approach to “fix” them, or at least identify higher quality alternatives.
The Component Info tab (available in commercial versions of Nexus repository managers) displays the security and licence information available for a specific component. It is available in browsing or search results when you select a component in the repository tree view or search results list. An example search for Jetty, with the Component Info tab visible, is seen below. It displays the results from the License Analysis and any found Security Issues.

Screen Shot 2015-11-04 at 1.54.02 PM

The Component Information Panel, or CIP (another feature of commercial Nexus repository managers) drills in deeper to provide everything you need to know about a component. Looking at the image below, you’ll notice two sections. On the left, details about the specific component are provided. On the right, the graph provides a wide variety of information across all available versions of that specific component.including popularity, license, or security issues. Use the slider to select a different version in the graph, and the details on the left will update.

Screen Shot 2015-11-04 at 1.55.49 PM

With instant access to information about all alternative versions of a component available to developers, safer components with fewer known defects are easy to find. Defective components hosted in the repository are now easier to find and avoid.

More About the Numbers (Nexus Surpasses 60,000 Active Instances)

As the stewards of the Central Repository, Sonatype is able to identify repository managers that are requesting components via the details captured in the logs. Log data is then bucketed for each week of the year and analyzed to count the number of unique IP / User-Agent combinations for the three primary repository managers (Archiva, Artifactory and Nexus). Because these are caching repositories, there are days when no requests need to be made, so a daily aggregation would under-report actual usage. Additionally, because IP addresses can change, aggregating across too long a timeframe can result in over-reporting. The weekly timeframe still appears to mildly under report, but it is therefore also a conservative methodology and strikes the right balance.

The chart “2012 – 2015 Repository Manager Usage Trends” (above), is rather telling. The X-axis represents months since February 2012. The Y-axis is a four week moving average of the repository manager instance counts using the methodology outlined above. The mild variability from week to week stems from the caching effects of repository managers, which allow them to operate out of contact of Central for periods of time, occasionally not being counted in a given week.

The most common repository manager is Sonatype’s Nexus with 61,600 instances as of October 2015. This is nearly 7x the second most common, Artifactory. It is also the fastest growing by number of active instances connecting to Central, seeing an increase of 100% since December 2013.

What’s in Your Repo?

Hurricane forecasts are useless if everyone ignores them. The information shared above offers you a simple way to get your initial forecast of defect counts available in your Nexus repository manager. The basic Repository Health Check is free for all versions of Nexus repository managers. If you administer your repository, take a minute to turn on this feature. If you are not the administrator, take that minute to share this blog post with them. The more we build awareness of what components are flowing into our organization the better we will all be at “building quality in”.

Tags: Nexus vs. Artifactory, Software Supply Chain, Nexus OSS, Archiva vs. Nexus, Nexus Firewall, rundeck, Docker, Private Docker Registry, Nexus Repository, Continuous Delivery, Chef, Artifactory vs. Nexus, puppet, Devops, Nexus vs. Archiva

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.