Sonatype Lifecycle boosts open source security and dependency management

January 13, 2023 By Audra Davis-Hurst

10 minute read time

 

Is there such a thing as the perfect development workflow? We believe there is. We also think that Sonatype Lifecycle is one of the secrets to achieving it. 

Sonatype Lifecycle improves workflows by helping to shift the development process left. It’s designed to continuously monitor for problems at every stage of the software development life cycle (SDLC) and automatically address them. And with software supply chain attacks up 742% since 2019, prioritizing the health of your SDLC is more critical than ever.

What are the benefits of Sonatype Lifecycle for developers?

If there’s one thing developers hate, it’s security issues that distract them from their jobs. It shouldn’t be surprising that developers are more satisfied when they have tools

Depending on the language used, applications can pull in hundreds–or even thousands–of transitive dependencies that developers might not be aware of. And some of those will likely put their application at risk and create future technical debt.

Sonatype Lifecycle helps prevent this by:

  • Helping to control risk from one location and integrating with the most popular development tools.
  • Allowing teams to run anywhere they need, whether their preference is in the cloud, on-premises, or in a disconnected environment.
  • Giving developers the tools they need to choose healthier open source components.
  • Using policy-driven scans highlighting issues that eventually block a production build.
  • Allowing development teams to spend less time researching risky dependencies.
  • Integrating with GitHub, GitLab, and Atlassian Bitbucket to automatically generate pull requests for components that violate open source policies.

Even if your team chooses not to use automated remediation, Sonatype Lifecycle’s enhanced comparison functionality can help them quickly compare and evaluate components.

What are the benefits of Sonatype Lifecycle for security teams?

Discovering and immediately addressing risk earlier in the development process isn’t just a boon for developers. How much time does your organization spend on manual compliance checks? If you’ve ever thought about how there has to be a better way, we’ve got great news–there is.

Sonatype Lifecycle helps security teams by:

  • Generating a precise Software Bill of Materials (SBOM) in minutes, helping root out project vulnerabilities.
  • Creating custom security, license, and architectural policies based on application type or organization.
  • Reducing the need for manual compliance checks by automatically enforcing policies across every stage of the software development life cycle.
  • Alerting teams of new vulnerabilities based on risk level and the applications affected.
  • Demonstrating risk reduction to senior management with reporting options that show violation trends over time and how quickly they are being remediated.
  • Improving incident response times and preventing embarrassing situations where an organization isn’t aware they’re using vulnerable components, like Log4j.

Automate legal compliance across the software development life cycle (SDLC)

For many, staying up to date with legal compliance is a task that sucks up precious time and resources that could be better used elsewhere. Sonatype Lifecycle’s Advanced Legal Pack add-on instantly streamlines OSS license compliance and automates the collection, compilation, reporting, and remediation of OSS legal obligations. It can essentially eliminate manual work and drastically improve productivity in the process.

nexus lifecycle-alp

Sonatype Lifecycle is constantly evolving

Supply chain attacks will continue to evolve, and so will we. Sonatype is continuously updating and adding new features to Sonatype Lifecycle.

Data Insights

Data Insights are now available to all Lifecycle customers. This new feature aims to drive future product capabilities around data. It uses billions of data points from the Sonatype Community, the open source community, and other customers to provide a new perspective on open source consumption patterns and technologies within your organization.

Data insights can help kickstart conversations about how, when, and why an organization consumes open source components to implement better governance policies.

Other features added to Sonatype Lifecycle in 2022

Dependency Tree Visualization for components and the entire application.
Dependency Tree Visualization provides development teams with a graphical view that makes identifying and tracing vulnerable libraries easier. The program shows the relationship between direct and transitive dependencies, reducing time spent on research and remediation efforts. It also allows for fast prioritization of components that can be resolved by upgrading.

Users with Sonatype IQ Server version 132 and above can access the Dependency Tree page. This view displays the Direct and Transitive components of the report as a dependency tree sorted by threat level.

A version explorer for InnerSource components, using integration with Sonatype Nexus Repository. Organizations that use Sonatype Nexus Repository Manager 3 as their InnerSource code repository can integrate the Sonatype IQ Server with the repository to view version data of InnerSource components. This data will be available in the Version Explorer graph on the component details page, which improves the remediation of issues.

Advanced search enhancement.
Sonatype Lifecycle’s search tool can now find all components in your SDLC, not just those marked with a vulnerable status.

Advanced search enhancement helps improve maintainability by:

  • Showing developers what components the organization is already using.
  • Allowing developers to identify software categories–telemetry, logging, or authentication– and resolve compatibility issues.
  • Helping developers find and resolve issues beyond violations. They can now look at compatibility, less-than-ideal licenses, or yet-to-be-published CVEs.

The ability to waive violation for all versions of a component.
Teams can create waivers for all component versions rather than just a specific release.

Waive All Versions helps developers by:

  • Reducing distractions for known issues.
  • Freeing up energy spent on managing waivers.

Policy enforcement overrides.
Sonatype Lifecycle now lets you override corporate policy settings when onboarding new projects. This allows users to adapt policy enforcement to the needs of specific projects.

On top of added flexibility, policy waivers provide all necessary tracking to ensure that the right controls are maintained. Policy Enforcement Override enables customers to onboard applications at scale while continuing to build software.

Custom expiration dates for Policy Waivers.
This feature adds the flexibility of configuring custom expiration dates for policy waivers from the ‘Add Waivers’ page. Previously, this could only be done by using the Policy Waivers API. Now, auto application creation can specify which organization to use.

Vulnerability ID alias.
Users no longer have to worry about which ID Sonatype has used to catalog a vulnerability. If a previously logged vulnerability eventually gets a CVE ID, both IDs will return the same information.

Additional security policy conditions (CWE).
Policies can now be designed to specifically target a category of vulnerability. For example, a user could place a higher policy threat level for vulnerabilities categorized as CWE-89:'SQL Injection

Additional Policy Evaluation summary info in plugins.
To help spot potential misconfigurations, the analysis plugins show the total number of evaluated components in the summary. This is available for: 

  • Jenkins
  • Azure DevOps
  • Bamboo
  • Maven plugins 

 An all-waivers dashboard view.
Based on filter selections, this view shows all existing waivers applied at the same or higher hierarchy level.

This can be filtered to deliver a customized list that applies to:

  • Specific organizations.
  • Applications and application categories.
  • Policy types and policy threat levels. 
  • Expiration dates (only available in waivers view).

Additional security policy conditions (vulnerability groups).
The Vulnerability Group REST API allows users to group multiple vulnerability IDs, CVEs, and Sonatype vulnerability IDs into custom groups. These can then be used as a condition within a policy constraint to aid in risk management and remediation.

Fast Track and Deep Dive labels for security research.
Lifecycle’s security research goes through two processes. The first is known as Fast Track research, which aims to get accurate data as quickly as possible to users.

Deep Dive research is conducted after Fast Track and includes more information such as:

  • Remediation instructions. 
  • Detailed explanations. 
  • Individual file and method implications.

Lifecycle's interface will now clearly indicate when vulnerability details are in the Fast Track or Deep Dive state. Additionally, Lifecycle now provides new policy constraints for users that want to prioritize remediation against one of these research states.

Getting started with Sonatype Lifecycle

New to Lifecycle? Sonatype offers plenty of documentation on getting started and best practices.

Further questions about how Lifecycle can help your organization achieve its perfect development workflow? Our experts are always ready to talk. Book a demo today.

This post was co-written by Nitin Phadnis.

Tags: secure software supply chain, Open Source, Sonatype Platform, Sonatype Lifecycle

Written by Audra Davis-Hurst

Audra is a content creator diving into the depths of open source and software supply chain management. In her spare time, she loves hanging out with her friends and family, snuggling her circus of pets, reading, and playing video games.

Learn more on: