Sonatype

Sonatype’s Solutions in the Supply Chain

Key Takeaways

  • Sonatype offers a number of tools to that work together for complete software supply chain management.
  • Sonatype Nexus Repository – Is your personal package registry. Proxy components from Maven, npm, pypi and many more. Or host your own components. It ensures build reliability.
  • Sonatype Lifecycle – Offers component security and management. Lifecycle lets you set policies to determine your risk tolerance levels from open source components.
  • Sonatype Repository Firewall – Keeps risky and dangerous components from entering your repository. Firewall uses the same policy engine as Lifecycle to prevent components that are too risky from ever making it on to your systems.

Overview

Getting all the value from Sonatype’s tools requires that you understand how they fit into the software supply chain. If our tools aren’t integrated into your supply chain, then you’re not getting the full value of your purchase. We might be biased, but our solutions are too important to go unused.

In a previous guide, we explored the concept of supply chain management and compared the traditional supply chain to the software supply chain. This guide explains how Sonatype Nexus Repository, Sonatype Lifecycle, and Sonatype Repository Firewall fit into the software supply chain. It describes the basic actions our solutions take, and compares them to elements you might find in a traditional supply chain.

Our Solutions in the Supply Chain

Previously, we laid out the four stages of the traditional supply chain and compared them to the software supply chain. The table below is a summary.

Traditional Supply ChainSoftware Supply Chain
ProcurementSourcing
ProductionDevelopment
DistributionDevOps
Customer InterfaceCustomer Success

Sonatype’s solutions fit neatly into the software supply chain, and that’s not a coincidence. Sonatype is all about software supply chain management. Our goal is to empower you to make quality, innovative software at speed, and that means giving you the intelligence you need to manage your supply chain.

It also means automating well and scaling effortlessly. Sonatype’s solutions are natural, organic parts of the supply chain that act automatically, regardless of your size or DevSecOps maturity. They aren’t checkpoints that stop development or choke points that can’t scale as your business grows.

Sonatype Nexus Repository

Sonatype Nexus Repository is part of the Sourcing stage. As a binary repository manager, a.k.a. a universal repository manager, Nexus Repository proxies repositories such as Maven Central, npm, and other repository managers. When a new component is needed, Nexus Repository fetches it and caches a copy locally for later use.

Even brief outages of repositories can cause developers significant grief. Components also sometimes disappear from hosted repos. This poses a significant threat to all your apps, especially legacy apps that are still receiving support. Nexus Repository solves both these problems by acting as a local copy of the repository. And since the copy is local, you can manage it directly, customizing it to suit your organization’s needs.

Example: In the analogy of a traditional supply chain, Nexus Repository is like a warehouse full of trusted parts. The warehouse is well stocked, which prevents delays caused by occasional late deliveries. The warehouse and everything inside is bought and paid for, so the manufacturing plant can manage it in a way that makes sense for them.

Sonatype Repository Firewall

Sonatype Repository Firewall is part of the Sourcing stage. Firewall evaluates incoming components against our component intelligence and blocks risky components from entering your binary repository manager. This evaluation is based on security, legal, quality, and architectural standards that you control.

By blocking components before they’re actually ingested, risky components are prevented from ever appearing in your app’s final build. Blocking components here also benefits the developer because the feedback is delivered early. Selecting an alternate component early is easier than replacing an existing component late.

Example: In a traditional supply chain, Repository Firewall is like inspecting new parts as they arrive at the warehouse. Technicians ensure that what was delivered matches what was ordered, then check the parts against a known list of product recalls. If there are issues, the parts don’t enter the warehouse and therefore can’t be used in the finished product.

Sonatype Lifecycle

Sonatype Lifecycle is part of every stage of the software supply chain. Lifecycle’s core functionality is to scan applications and evaluate components against Nexus Intelligence. That evaluation is based on security, legal, quality, and architectural standards that you control.

Knowing the components in your application, and their risks, is key to building high-quality, innovative software. Lifecycle’s integrations with tools like IDEs and web browsers bring you precise intelligence throughout the supply chain..

Lifecycle’s integrations with CI/CD tools are especially important. Scanning at build time is scalable, accurate, and gives you visibility into your app’s components when you need it most. It’s also automated; no need to manually submit anything for scanning. And it enforces automatically, blocking builds if it detects policy violations.

Example: In the analogy of a traditional supply chain, Lifecycle is the system of labels and tags identifying every part on the assembly line. Because parts are labeled and tracked, finished products can be evaluated on the strengths and weaknesses of the included parts. Finished products compromised by a bad part are removed from the assembly line until technicians remediate.

Additional Resources

This guide is Part II to another guide about the Software Supply Chain. Read that companion piece here!

Talk to Us!

Have more questions or comments? Learn more at help.sonatype.com, join us in the Sonatype Community, and view our course catalog at learn.sonatype.com.

And visit my.sonatype.com for all things Sonatype.

Jonathan Zora

Written By: Jonathan Zora

Jonathan is a Technical Content Developer at Sonatype.