The path forward for the Sonatype Platform
3 minute read time
Central downloads are up, way up, to 146 billion downloads in 2018.
So began Brian Fox's presentation at this year's Nexus User Conference. For comparison: there were less than 500 million downloads ten years ago, which seemed like a lot at the time. We continue to take the stewardship of Central, and the security of it, quite seriously. It is a big focus of the hidden innovation that goes on at Sonatype.
Why does this increase matter so much? It tells us developers are continuing to use open source at exponential rates. But, we also know that not all components are created equally and that most companies don't know what open source is being brought into their house. They often don't even understand how much is being brought in, either.
The desire to better manage OSS is growing though. We're seeing it with double and triple digit growth across usage, Sonatype Nexus Repository instances, scans, daily apps under management in Sonatype Lifecycle and Sonatype Auditor: all up.
All of this growth means we're focused on a ton of improvements across the backend of the Sonatype Platform to support customer innovation. We release quite regularly, to all products, 33 so far this year. While all of these release have tangible benefits to the user ("We don't believe in shelfware," says Brian) these improvements don’t always get the publicity the deserve. That's why we want to make sure we're sharing them with you again here.
Among the new releases:
-
Maven Search and a new product, DepShield, both grew from Improvement Day projects in 2018. This year already, 511 teams demoed project ideas that may be integrated to enhance cloud-native component and vulnerability search functionality. Working prototypes will make their way to Sonatype Labs for beta testers who "don't mind the occasional sharp edges."
-
A partnership with HackerOne now provides a safe place for zero day reporting inside Central. Reporting a vulnerability is now easier and the whole community benefits.
-
Another lab tool, LORT (License Obligation Research Tool) tracks artifacts from 500+ ecosystems. This tool helps users annotate, correct, and highlight context-specific policy conflicts.
-
Meanwhile, Sonatype IQ server builds on Python application reports in Sonatype Repository Firewall to offer highly curated lock files and produce full software bill of materials (SBOM).
-
Users also benefit from enhanced Dashboards offering multiple category component data views. These reports are particularly useful for executives monitoring policy violations and vulnerabilities. Data retention and purging is now possible, as is automated audit and violation logging.
-
Additionally container webhooks and other integrations (Atlassian Bitbucket, GitLab integration) are live, too. So is a very useful Chrome plugin.
Brian also shared several innovations on the Repository side, and discussed upcoming initiatives. Enhanced cloud deployment, GitHub PR integration, and Jira plugins are all coming online soon.
Good thing, too. As Brian reminds us, malicious intent is only going to get worse. We have to stay several steps ahead.
Written by Katie McCaskey
Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.
Explore All Posts by Katie McCaskey