PyCharm and Sonatype Nexus Repository - A Match Made in Heaven

May 01, 2019 By Sable Yemane

3 minute read time

For all you Python developers using IntelliJ’s PyCharm IDE, we have some great news -- as of version 3.15.0, Sonatype Nexus Repository natively supports PyCharm. With no additional configuration efforts, Python developers can have their IDE point to Sonatype Nexus Repository to retrieve a list of Python components available for download.

Not familiar with Sonatype Nexus Repository but intrigued by how it might make working with PyCharm even better? Keep reading - we’ve got you covered.

Already set up with a Sonatype Nexus Repository? All that needs to be done is point PyCharm to your Python repository - and you’re ready to go.

Go to PyCharm > Preferences

Project > Project Interpreter > Install

Go to Manage Repositories, then add your Sonatype Nexus Repository URL.

Now you can see a catalog of the available Python packages within Sonatype Nexus Repository.

pycharm_nxrm_setup

 

Wait - what is Sonatype Nexus Repository again? And, why should I care?

Sonatype Nexus Repository is your on-premises one-stop shop for downloading and uploading components and builds. It allows for the hosting of private repositories and also acts as a caching proxy for public repositories such as pypi.org.

Sonatype-Repository-Overview@2x (1)

When an organization has a central location for housing all of their applications’ dependencies, developers reap the benefits of both speed and convenience when building their applications. Instead of having a developer go out to the internet to download a package that has already been downloaded repeatedly by others on their team, they can simply get that cached packaged from the central repository while staying within the organization’s network. Taking into consideration that organizations can download upwards of 200,000 open source components annually, according to our 2018 State of the Software Supply Chain Report, the ability to retrieve cached components from a central location can save developers heaps of time - time better spent developing instead of downloading.  

In addition to this, Sonatype Nexus Repository provides developers with the convenience of group repositories. With a group repository, components in both hosted and proxied repositories can be accessed with a single URL. You also have the ability to determine the order in which components are downloaded from a group repository. In most cases, you would want to resolve from your hosted repositories then your proxied repositories.

Sonatype Nexus Repository brings order to the dependencies within your organization by overseeing and maintaining your applications’ dependencies. So, for organizations with a security or compliance initiative for their open source components, having a central repository is the first step towards a golden policy or ‘Holy Grail’. How do your developers currently know which versions of these components are vulnerable? Sonatype Repository Firewall will then take you one step further to automatically block bad components from entering your software supply chain. Firewall stops open source risk at the front door and provides developers the visibility and data needed to enforce policies when proxying public repositories, securing your DevOps perimeter.

article - repo firewall flowchart-Mar-22-2024-04-01-19-7647-PM

 This does not require any extra work from the developer, as their workflow remains the same: simply have PyCharm point to the Sonatype Nexus Repository URL. If a dependency of the Python project violates the organization’s policy, then that dependency will not be able to enter the application and the developer will be alerted of the quarantining of that component. Developers can look for the blocked component in Sonatype Nexus Repository to understand why it was blocked and how to get around the issue (e.g. upgrade to a non-vulnerable version).

unnamed-4

To analyze the risk of your organization’s open source components, Sonatype Repository Firewall also provides a software bill of materials (SBOM) of your repositories. This bill of materials provides insight as to what components violate which policies and what components have been quarantined. Python developers are embracing tools such as Sonatype Nexus Repository and Firewall to automatically enforce open source security and control how components flow across the entire development lifecycle.

With PyCharm support now available, your worries of complicated dependency management can be rung down the curtain and join the choir invisible.

Tags: python, Product, PyCharm, Sonatype Repository Firewall, Sonatype Nexus Repository

Written by Sable Yemane

Sable Yemane is a Sales Engineer at Sonatype focused on providing DevSecOps solutions to enterprises