Vor Security brings OSS Index to Sonatype

June 29, 2017 By Brian Fox

2 minute read time

Our data research team is always on the lookout for ways to expand Nexus Lifecycle’s coverage with new sources and feeds of data. A little under a year ago, we stumbled across OSS Index.netInitially we were intrigued by the coverage into ecosystems we had not yet fully researched. However, as we opened up a dialog and engaged in a formal relationship with Ken Duck, founder and CEO of Vor Security, the company behind OSS Index, it became apparent that this was not just another run of the mill data aggregation feed.

What most people don’t realize is that so much of the reported data in places like NVD is often lacking sufficient details to be truly precise and actionable. Sometimes it’s even incorrect.


Security research is a specialized skill that requires a deep understanding of attack methods combined with software engineering expertise. Recognizing mistakes in reported information requires this unique skill set and can’t be fully automated. At the end of the day, a human is required to interpret the results and to ultimately determine where the vulnerability occurs. If your vendor isn’t doing this for you, then it falls to your team to deal with sifting through all the noise.

Like Sonatype, Vor understands the subtle deficiencies in the feeds commonly used by other tools and undertook an effort to produce an efficient way to correct the data and make it useful to downstream consumers. Their approach to this solution involved processes and insights that were very much aligned with our own that ultimately lead to a human curation element as the final arbiter. Vor approached the vulnerability correction and assignment from the project to the components, which is exactly opposite of the Sonatype approach of finding the vulnerable code and tracking it back to the released component.  By merging the top down and bottom up approaches, we can significantly increase our vulnerability coverage.

Sonatype’s roots are in open source, starting with the early days of Apache Maven. In addition to being the providers and caretakers of The Central Repository for over 10 years, the creation of M2Eclipse and many others, we have long made our tooling such as Nexus Repository Manager available to open source projects and forges for free. This desire to do the right thing by the community, to make a difference, and leave things better than we found them is another common bond we share with Vor Security.

Bringing Vor into the Sonatype fold will immediately allow us to increase ecosystem coverage and OSS Index provides us a platform to accelerate innovation in the area of open source security research. We are pleased to welcome Vor Security to Sonatype.

Tags: vulnerability, Everything Open Source, #OSSsecurity, Extended Coverage, Vor Security, ossindex.net, News and Views

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.