New Developer Tools for Open Source Dependency Management
Sonatype’s focus on developers brings more insights into software dependencies, clearer policy exceptions, and support for PHP users. This Nexus platform update will help developers more easily remediate vulnerable open source usage across their projects.
New in Nexus Lifecycle
Many organizations are still operating with a scan-and-scold mentality when it comes to identifying vulnerabilities. An approach that’s not effective at proactively reducing risk from vulnerable open source.
Sonatype’s Nexus platform already provides a comprehensive remediation guidance for developers to select the safest components. It can also quickly identify and replace vulnerable components present in your applications. This latest release of Nexus Lifecycle makes remediation even easier, while also streamlining workflows to approve components that don’t fully conform to policy.
These changes, plus better intelligence for PHP components help developers identify more vulnerable components faster, saving them time and reducing risk.
Dependency Tree Visualization and Transitive Solver
Direct, open source components are downloaded every day by development teams all over the world. By nature of how open source works, these projects are themselves made up of multiple component projects. These are known as “transitive” dependencies, and there can be 100s of them built-in to your software. With each new component, comes a growing risk of unknown components. Are they up to date and secure?
Indications that direct dependencies are free of security issues often isn’t assurance that the component projects are safe. Worse, finding and resolving the security risks brought in by these transitive dependencies is a complex and difficult task. Due to the way major projects scale, security and software engineering teams have to spend time figuring out which direct dependency brought a transitive dependency in. Then, once you determine which team owns that problem it needs to get prioritized.
Especially for larger projects, it can quickly become impossible to (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Chris Good. Read the original post at: https://blog.sonatype.com/new-developer-tools-for-open-source-dependency-management
