2018 has seen a new breed of dependency scanners come onto the scene. These 'manifest' driven scanners allow for their inclusion into source code control systems like Github and we're seeing them in IDE's as well. The scanner inspects a pom.xml or a package.json, calculate the dependency tree and then reports on any vulnerabilities known to the dataset behind that scanner. We, at Sonatype, couldn't have been happier to see this new trend, as it completely validated the vision and innovation we brought to this space over five years ago.
We were happy because we were the first ones to flip this problem on its head. While other companies were selling security feeds to security teams we felt the best way to solve this problem was to empower the developers at construct and build time. Our bet was that if we put the information developers needed right in the tools they already use, like IDE's and CI systems, they would naturally gravitate to doing the right thing. So for us to see so many more developers getting this kind of feedback tells us our bet was correct while raising awareness across a much larger audience.
As I approach my four year anniversary here at Sonatype, I can reflect back. In my first year, we had to do a lot of education as to why this was even a problem that needed to be addressed. In years two and three, we saw analysts starting to do that education for us, as they embraced 'software composition analysis' as an important new discipline in the emerging DevSecOps world. Their reports drove adoption within large, corporate, IT shops. This year, we're seeing exponential growth with our original target audience, the developers themselves, and no one is happier about that than all of us at Sonatype.