Sonatype’s Solutions in the Supply Chain
- Sonatype offers a number of tools to that work together for complete software supply chain management.
- Nexus Repository – Is your personal package registry. Proxy components from Maven, npm, pypi and many more. Or host your own components. It ensures build reliability.
- Nexus Lifecycle – Offers component security and management. Lifecycle lets you set policies to determine your risk tolerance levels from open source components.
- Lift – Integrates with your source control system to provide code quality analysis.
- Nexus Firewall – Keeps risky and dangerous components from entering your repository. Firewall uses the same policy engine as Lifecycle to prevent components that are too risky from ever making it on to your systems.
Getting all the value from Sonatype’s tools requires that you understand how they fit into the software supply chain. If our tools aren’t integrated into your supply chain, then you’re not getting the full value of your purchase. We might be biased, but our solutions are too important to go untapped.
In a previous guide, we explored the concept of supply chain management and compared the traditional supply chain to the software supply chain. This guide explains how Nexus Repository Manager (NXRM), Nexus Lifecycle, Nexus Firewall, and Sonatype Lift fit into the software supply chain. It describes the basic actions our solutions take, and compares them to elements you might find in a traditional supply chain.
Our Solutions in the Supply Chain
Previously, we laid out the four stages of the traditional supply chain and compared them to the software supply chain. The table below is a summary.
|Traditional Supply Chain||Software Supply Chain|
|Customer Interface||Customer Success|
Sonatype’s solutions fit neatly into the software supply chain, and that’s not a coincidence. Sonatype is all about software supply chain management. Our goal is to empower you to make quality, innovative software at speed, and that means giving you the intelligence you need to manage your supply chain.
It also means automating well and scaling effortlessly. Sonatype’s solutions are natural, organic parts of the supply chain that act automatically, regardless of your size or DevSecOps maturity. They aren’t checkpoints that stop development or choke points that can’t scale as your business grows.
Nexus Repository Manager
NXRM is part of the Sourcing stage. As a binary repository manager, a.k.a. a universal repository manager, NXRM proxies repositories such as Maven Central, npm, and other repository managers. When a new component is needed, NXRM fetches it from the repository and caches a copy locally for later use.
Even brief outages of repositories can cause developers significant grief. Components also sometimes disappear from hosted repos. This poses a significant threat to all your apps, especially legacy apps that are still receiving support. NXRM solves both these problems by acting as a local copy of the repository. And since the copy is local, you can manage it directly, customizing it to suit your organization’s needs.
Example: In the analogy of a traditional supply chain, NXRM is like a warehouse full of trusted parts. The warehouse is well stocked, which prevents delays caused by occasional late deliveries. The warehouse and everything inside is bought and paid for, so the manufacturing plant can manage it in a way that makes sense for them.
Nexus Firewall is part of the Sourcing stage. Firewall evaluates incoming components against Nexus Intelligence and blocks risky components from entering your binary repository manager. This evaluation is based on security, legal, quality, and architectural standards that you control.
By blocking components before they’re actually ingested, risky components are prevented from ever appearing in your app’s final build. Blocking components here also benefits the developer because the feedback is delivered early. Selecting an alternate component early is easier than replacing an existing component late.
Example: In a traditional supply chain, Firewall is like inspecting new parts as they arrive at the warehouse. Technicians ensure that what was delivered matches what was ordered, then check the parts against a known list of product recalls. If there are issues, the parts don’t enter the warehouse and therefore can’t be used in the finished product.
Lift is part of the Development stage. Lift lives in your code repository and comments on pull requests with bug reports, security vulnerabilities, component usage, and other code quality concerns. Sonatype is an expert on open-source component risk, so that’s a special concern for Lift.
Lift is an automated tool, so it scales easily and reduces the need for lengthy manual reviews. Lift provides feedback in your code repository, which is where developers are most able to respond to feedback. And Lift combines 24+ analyzers to catch deep, interprocedural issues that simpler scanning tools can’t.
Example: You can think of Lift as being like a high-tech optical recognition device on an industrial assembly line. It scans parts without human oversight, freeing technicians to focus elsewhere. It scans much faster than a human, which means conveyor belts are free to run at top speed. And if a problem is identified, it routes the part back to a technician to make adjustments or corrections.
Nexus Lifecycle is part of every stage of the software supply chain. Lifecycle’s core functionality is to scan applications and evaluate components against Nexus Intelligence. That evaluation is based on security, legal, quality, and architectural standards that you control.
Knowing the components in your application, and their risks, is key to building high-quality, innovative software. Lifecycle’s integrations with tools like IDEs and web browsers bring you precise intelligence throughout the supply chain..
Lifecycle’s integrations with CI/CD tools are especially important. Scanning at build time is scalable, accurate, and gives you visibility into your app’s components when you need it most. It’s also automated; no need to manually submit anything for scanning. And it enforces automatically, blocking builds if it detects policy violations.
Example: In the analogy of a traditional supply chain, Lifecycle is the system of labels and tags identifying every part on the assembly line. Because parts are labeled and tracked, finished products can be evaluated on the strengths and weaknesses of the included parts. Finished products compromised by a bad part are removed from the assembly line until technicians remediate.
This guide is Part II to another guide about the Software Supply Chain. Read that companion piece here!
Lift is a dev-first tool that we’re rapidly developing. You can use Lift for free on public repositories. Visit our Getting Started page to install Lift with just a few clicks.
Getting started with the rest of Sonatype’s solutions is easy, too. In particular, Nexus Repository Manager has a free, open-source version called Nexus Repository Manager OSS. Have a look at its features here.
Nexus Intelligence is Sonatype’s data service that blends human and machine intelligence to provide bleeding-edge data about open-source risk. Discover more about how Nexus Intelligence investigates components here.
Talk to Us!
And visit my.sonatype.com for all things Sonatype.
Written By: Jonathan Zora
Jonathan is a Technical Content Developer at Sonatype.