Sonatype Intros Advanced Development Pack
October 9, 2020
unveiled its breakthrough Advanced
Development Pack that fundamentally changes
how teams manage code dependencies. Designed
after studying development and cybersecurity
hygiene practices across 30,000 software
teams, this new offering available to Nexus
Lifecycle customers, ensures developers
select the highest quality OSS components
that are used to build 90% of a modern
It helps developers understand:
the performance of OSS projects they are choosing when it comes to release frequency, cadence of dependency updates, development team size, and popularity - helping guide choices to a higher quality pool of components
the frequency in which dependencies have become vulnerable and are remediated - helping them better grasp the cost and threat of relying on such packages
when suspicious behavior has been observed in project code commits - providing an early warning to malicious injection attacks from adversaries
With more than 67% of developers regularly impacted when dependency upgrades break the functionality of their application, Sonatype’s Advanced Development Pack removes the guesswork, and tells developers exactly which dependencies provide the least costly upgrade path in terms of effort.
Enhanced capabilities include:
Release Integrity - a first-of-its-kind early warning system using AI and ML to automatically identify and block next-gen software supply chain attacks relying on typosquatting and malicious code injection. In the past 90 days, the malicious code detection bots supporting this feature have discovered 43 new malicious packages including electorn and loadyaml.
Project Hygiene Rating - dubbed the Consumer Reports of OSS Projects - this first-of-its-kind health & hygiene rating system enables developers to select projects with the very best track records of release frequency, popularity, vulnerability remediation times, developer staffing, and other performance attributes. The exemplar, neutral, and laggard ratings assigned to each component were determined by a deep analysis of 30,000 OSS projects over a five year period.
Transitive Solver - tackling a project’s overall risk and not just individual dependencies, Sonatype’s transitive solver provides comprehensive remediation advice for solving both direct and transitive dependencies - all without violating policies or failing builds.
Component Chooser - think of this as Google for open source - it is an engine that helps developers search and compare OSS components in order to select the highest quality options. Component quality takes into account the project's hygiene rating, security and license compliance, and awareness of where else the component is being used within the developer’s organization. This feature - currently in beta - will be generally available in 2021.
"Developer ownership of the security and reliability of their code is increasingly important. With the Advanced Development Pack, we’re bringing the most comprehensive set of data on OSS projects to their fingertips." said Brian Fox, CTO of Sonatype. "As a developer myself, my aim has always been to deliver the highest quality code to customers in the shortest period of time. But when breaking changes, compliance issues, version control, and cybersecurity vulnerabilities pop-up, delivery timelines are challenged. By reducing these speed bumps to delivery, we’re going to make a lot of developers happier and enable them to spend more time innovating and less time fixing their code.”