Sonatype’s OSS Index is a free catalog of open source components and scanning tools used by developers worldwide to help identify vulnerabilities, understand risk, and keep their software safe. We’ve decided to add even more component, vulnerability and remediation data, so that our users can easily find, understand, and choose the best components.
We see ourselves as a community working together to enable faster innovation in the safest way possible. The newest component intelligence is a direct result of engaging with developers like yourself to build open source tools that are worth using.
Our free OSS data now includes:
Declared licences (where available)
We’ve also updated the interface making it easy to find all of the information you need to remediate known vulnerabilities in the most popular ecosystems. Best of all, it’s still all free!
How can this information help development teams?
Often when developers find vulnerabilities in their projects the next steps are unknown. The questions that arise are:
What is the risk associated?
Is there a fix?
What’s the LOE to implement the fix?
Can it wait till later?
Without additional component and vulnerability details, it’s impossible to answer the questions above without a lot of manual research and effort.
We’ve specifically added component details to make your life easier and save you time and effort with:
The addition of component version history, you can immediately see which versions have vulnerabilities along with the severity to quickly identify upgrade/downgrade paths.
The catalog date gives insight for the timeline of versions as we learn about them.
The CVSS vector for a vulnerability is now in human readable format so you can evaluate the impact of the vulnerability on your projects.