Skip to content

New Maven Central security capabilities⚓︎

Hi Maven Central Publishers,

I’m writing to you to announce some great new capabilities we are rolling out to help you make the components you publish to Maven Central safer and higher quality for all of our shared users.

TLDR:

  • Starting this week, we will be scanning all staged repositories on OSSRH automatically as you’re publishing things to Central
  • You should start seeing reports via email providing details on security issues in your dependencies for things released through OSSRH
  • You can install Muse today for free and start getting feedback on static security (SAST) findings and code quality issues. (https://www.sonatype.com/product/musedev-maven)
  • In Mid-May, the Muse capability will include dependency analysis (SCA)
  • In June, everything will be branded as Sonatype Lift and additional capabilities for Maven publishers will be delivered as the Lift platform evolves.
  • There will always be a free version of Sonatype Lift that you can use to help improve code quality.

Some context…

Most of you know us at Sonatype as the people who brought you Nexus Repository Manager and the faces behind Maven Central since our founding in 2007.

What is less recognized is that for the last 10 years, we’ve also been helping organizations do a better job of managing open source software risk in their components from many dimensions including License/Legal risk, Security and Code Quality.

Several years ago we acquired and re-launched OSSIndex and built many integrations aimed at helping developers do a better job of securing their open source projects. OSSIndex data is integrated into many of the popular tools you may already be using such as DependencyCheck and DependencyTrack.

Earlier this year, we also acquired MuseDev (https://blog.sonatype.com/sonatype-acquires-musedev-and-unveils-full-spectrum-software-supply-chain-management-system) and their developer-first capabilities that can provide static analysis and code quality visibility directly in your pull request feedback loops.

Here’s how we’re bringing this all together to help make this a safer ecosystem for everyone:

Starting this week, we will be scanning all staged repositories on OSSRH (OSS Repository Hosting) automatically as you’re publishing things to Central. We will email you a link to a report with findings each time so you can get a sense of any risk in your dependencies. This early access capability is intended to get you key information quickly. A few key notes:

  • Initially, this is primarily focused on security vulnerabilities, but we aim to quickly add additional information around licensing and quality soon.
  • This first report is read only as well, meaning you can’t override or mark issues as not applicable. These are long standing capabilities in our existing products and we are working hard and fast to match those capabilities as part of this experience.

Muse has a free tier right now that you can use to begin to assess your projects and get feedback on static security (SAST) and quality concerns in your own code. You should definitely check that out and see how it can help improve your code.

In mid-May, our SCA (Software Composition Analysis) capabilities will be merged into Muse so you will be able to see all the findings right in your pull requests. We intend for this to be the early feedback on any dependency issues that would be surfaced when you cut the actual release. The release report will be just the final assessment to make sure nothing was missed during your development process. Go here to find out more about Muse and find the link to install on your Github repositories (https://www.sonatype.com/product/musedev-maven).

Finally, we are merging the OSSIndex, Muse and next generation Sonatype Lifecycle capabilities into a new platform called Sonatype Lift. Sonatype Lift, like OSSIndex and Muse before it will have free-forever capabilities that open source projects can depend upon to improve their software. This will be true for all open source, not just things published to Maven Central. However, as stewards of the Maven Central repository, we expect to provide Maven Central publishers an enhanced experience and capabilities for those OSS projects published to Central.

The full launch and rebrand is expected to occur in early June, 2021. However, given the intense scrutiny on the Software supply chain in light of SolarWinds and CodeCov attacks, as well as the ongoing battles with malicious components in other ecosystems, we didn’t want to wait any longer to roll out these initial capabilities to our Maven Central publishers.

--Brian Fox
CTO & Cofounder Sonatype