Maven Central Repository has made the biggest change to its platform since its inception.
Hosted by Sonatype, Maven Central Repository is one of the largest Java repositories in the world. It has helped countless Java developers download and manage their projects' dependencies.
Several changes have been made to our website to better assist developers find the right open-source components to include in their builds, such as how to identify those components that are safe.
Improved user experience
Maven Central has moved from search.maven.org to central.sonatype.com in order to improve security and vulnerability detection for the consumer.
A new and modern design will make it easier for developers to know which components are better suited for their build and help them make better decisions at a glance. The new website showcases more community-driven information such as "Most Popular Packages used in the Last 90 days," "Popular Categories of Searches," and even how many times a package has been installed and used in other projects. All of these are crucial in helping to determine which components are safer to use.
Previous Home Page interface:
New Home Page interface:
On top of these visual upgrades, additional capabilities have been added to the backend for better data filtering of components in the search bar function.
Dependency and version safety: BOM Doctor
The first is the integration of BOM Doctor. In BOM Doctor, Java developers can view the overall health of their direct and transitive dependencies visually. BOM Doctor's mission is to make dependency hygiene easier by assisting developers in improving the health of their applications. The integration works as a window for developers to better understand the version safety of the package before installation.
Project safety: Sonatype Safety Rating
Another helpful feature that has now been integrated into Maven Central Repository is the Sonatype Safety Rating. This aggregate rating estimates the likelihood of an open-source project containing security vulnerabilities.
Projects are rated on a 1-10 scale, with 1 being the least safe and 10 being the safest. The more confident the model is that a project will not contain vulnerabilities, the higher the rating.
The model is based on empirical research conducted by the Sonatype Research Team. They had analyzed thousands of projects and determined a high correlation between the Safety Rating and the presence of vulnerabilities, with 88% of projects scoring below 5 having existing known vulnerabilities. The inclusion of this metric within Maven Central will give developers a deeper confidence and understanding of a component to empower them to make informed decisions.
How will this change affect APIs?
Many developers may wonder how these changes will affect their API connection to search.maven.org. It is comforting for developers that these upgrades will have no effect on the APIs as the changes will only affect physical users accessing the website. These changes have been carefully considered, and any APIs accessing the website will be redirected back to search.maven.org as not to disturb any workflows.
By building these upgrades for Maven Central, developers can now enjoy a more secure online experience when building their projects. In turn, these changes should help develop a better software supply chain for the open-source market, allow developers to worry less about the security of their projects and spend more time building new unique projects that will drive world change.