What We Learned from Studying 36,000 OSS Projects | Press Release

blog-logo Sonatype Blog

PyCharm and Nexus Repository Manager - A Match Made in Heaven

May 01, 2019 By Sable Yemane

For all you Python developers using IntelliJ’s PyCharm IDE, we have some great news -- as of version 3.15.0, Nexus Repository Manager (NXRM) natively supports PyCharm. With no additional configuration efforts, Python developers can have their IDE point to NXRM to retrieve a list of Python components available for download.

Not familiar with NXRM but intrigued by how it might make working with PyCharm even better? Keep reading - we’ve got you covered.

Already set up with a NXRM? All that needs to be done is point PyCharm to your NXRM Python repository - and you’re ready to go.

Go to PyCharm > Preferences

Project > Project Interpreter > Install

Go to Manage Repositories, then add your NXRM URL.

Now you can see a catalog of the available Python packages within NXRM.

pycharm_nxrm_setup

 

Wait - what is NXRM again? And, why should I care?

NXRM is your on-premises one-stop shop for downloading and uploading components and builds. It allows for the hosting of private repositories and also acts as a caching proxy for public repositories such as pypi.org.

unnamed (2)

When an organization has a central location for housing all of their applications’ dependencies, developers reap the benefits of both speed and convenience when building their applications. Instead of having a developer go out to the internet to download a package that has already been downloaded repeatedly by others on their team, they can simply get that cached packaged from the central repository while staying within the organization’s network. Taking into consideration that organizations can download upwards of 200,000 open source components annually, according to our 2018 State of the Software Supply Chain Report, the ability to retrieve cached components from a central location can save developers heaps of time - time better spent developing instead of downloading.  

In addition to this, NXRM provides developers with the convenience of group repositories. With a group repository, components in both hosted and proxied repositories can be accessed with a single URL. You also have the ability to determine the order in which components are downloaded from a group repository. In most cases, you would want to resolve from your hosted repositories then your proxied repositories.

NXRM brings order to the dependencies within your organization by overseeing and maintaining your applications’ dependencies. So, for organizations with a security or compliance initiative for their open source components, having a central repository is the first step towards a golden policy or ‘Holy Grail’. How do your developers currently know which versions of these components are vulnerable? Nexus Firewall will then take you one step further to automatically block bad components from entering your software supply chain. Firewall stops open source risk at the front door and provides developers the visibility and data needed to enforce policies when proxying public repositories, securing your DevOps perimeter.

unnamed (1)

 This does not require any extra work from the developer, as their workflow remains the same: simply have PyCharm point to the NXRM URL. If a dependency of the Python project violates the organization’s policy, then that dependency will not be able to enter the application and the developer will be alerted of the quarantining of that component. Developers can look for the blocked component in NXRM to understand why it was blocked and how to get around the issue (e.g. upgrade to a non-vulnerable version).

unnamed-4

To analyze the risk of your organization’s open source components, Nexus Firewall also provides a software bill of materials (SBOM) of your repositories. This bill of materials provides insight as to what components violate which policies and what components have been quarantined. Python developers are embracing tools such as Nexus Repository and Nexus Firewall to automatically enforce open source security and control how components flow across the entire development lifecycle.

With PyCharm support now available, your worries of complicated dependency management can be rung down the curtain and join the choir invisible.

Tags: Nexus Repository, nexus repository manager, python, NXRM, featured, Product, PyCharm

Written by Sable Yemane

Sable Yemane is a Sales Engineer at Sonatype focused on providing DevSecOps solutions to enterprises