Sonatype's OSS Index is a free catalog of open source components and scanning tools used by developers worldwide to help identify vulnerabilities, understand risk, and keep their software safe. We've decided to add even more component, vulnerability and remediation data, so that our users can easily find, understand, and choose the best components.
We see ourselves as a community working together to enable faster innovation in the safest way possible. The newest component intelligence is a direct result of engaging with developers like yourself to build open source tools that are worth using.
Our free OSS data now includes:
- Version history
- Catalog date
- Better descriptions
- Declared licenses (where available)
We've also updated the interface making it easy to find all of the information you need to remediate known vulnerabilities in the most popular ecosystems. Best of all, it's still all free!
How can this information help development teams?
Often when developers find vulnerabilities in their projects the next steps are unknown. The questions that arise are:
- What is the risk associated?
- Is there a fix?
- What’s the LOE to implement the fix?
- Can it wait till later?
Without additional component and vulnerability details, it's impossible to answer the questions above without a lot of manual research and effort.
We've specifically added component details to make your life easier and save you time and effort with:
- The addition of component version history, you can immediately see which versions have vulnerabilities along with the severity to quickly identify upgrade/downgrade paths.
- The catalog date gives insight for the timeline of versions as we learn about them.
- The CVSS vector for a vulnerability is now in human readable format so you can evaluate the impact of the vulnerability on your projects.
To learn more about things like "why should I care about a declared license" or "how can I use these tools in continuous monitoring" make sure you attend our upcoming webinar.
Join us on Wednesday 9/23 @ 2pm EST/11am PST for a quick glimpse into using the new data to enhance your component selection, and build safer, more quality applications from the start.
Need DevSecOps at scale?
OSS Index and the associated tools are and always will be free to the community. The data we gather is derived from public sources, and does not include human curated intelligence nor expert remediation guidance. Software development teams who want to scale this information, and automate open source governance with precise, curated, and highly actionable intelligence across their entire software development life cycle (SDLC) should check out the Sonatype Platform.