New developer tools for open source dependency management


Sonatype’s developer focus brings more information about software dependencies, clearer policy exceptions, and support for PHP users. This update to the Nexus platform will help developers more easily address vulnerable open source usage in their projects.

New to the Nexus Lifecycle

Many organizations still operate with a sweep and berate mentality when it comes to identifying vulnerabilities. An approach that is not effective in proactively reducing the risks associated with vulnerable open source.

Sonatype’s Nexus platform already provides comprehensive remediation guidance for developers to select the most secure components. It can also quickly identify and replace vulnerable components in your applications. This latest version of Nexus Lifecycle makes remediation even easier, while streamlining workflows for approving components that are not fully compliant with policy.

These changes, along with better intelligence for PHP components, help developers identify the most vulnerable components faster, saving them time and reducing risk.

Dependency tree visualization and transitive solver

Direct, open-source components are uploaded daily by development teams around the world. By the nature of how open source works, these projects are themselves made up of multiple component projects. These are called “transitive” dependencies, and there may be hundreds of them built into your software. With each new component, comes an increasing risk of unknown components. Are they up to date and secure?

Indications that direct dependencies are free of security issues often do not guarantee that component projects are safe. Worse still, finding and fixing the security risks brought by these transitive dependencies is a complex and difficult task. Because of the way large projects scale, security and software engineering teams must spend time determining which direct dependency resulted in a transitive dependency. Then, once you have determined which team is responsible for this issue, it should be prioritized.

Especially for large projects, it can quickly become impossible to (Read more…)

Source link


Comments are closed.