SONATYPE REPOSITORY MANAGEMENT

Transcription

1 PRODUCT OVERVIEW SONATYPE REPOSITORY MANAGEMENT Nexus Pro and Nexus Pro CLM Edition The use of repository managers also known as component managers is helping software development teams achieve significant gains in speed, efficiency, and quality. As the de facto industry standard, more than 40,000 Nexus instances are used to organize artifacts, improve collaboration across teams, and source the highest quality components for use in their applications. With the ubiquitous use of open source artifacts in agile software development today, component managers have become a must-have technology. A component manager enables development teams to enjoy the benefit of agile component-based development in a streamlined and structured environment. For example, repository managers: Reduce build times by enabling centralized, local access to components downloaded from external repositories as well as those created internally. Improve collaboration by providing a central location to store and manage common components used among development teams. Sharpen control by providing a mechanism to observe and govern the use of components. Benefits of Repository Managers The Nexus line of repository managers offer a complete set of functionality for organizations of all sizes and needs. Feature sets range from basic with Nexus OSS to more advanced enterprise strength features with Nexus Pro and Nexus Pro CLM Edition. Faster and more reliable builds Caching eliminates the need to download components from the Internet, saving time and eliminating the risk that the Internet or remote server won t be available during the build. Improve collaboration A component manager provides a mechanism for developers to share binary components for internally developed software projects. The component manager becomes a deployment target when artifacts are created, and the canonical source of both internally developed and third-party components for use in development. Identify component risks and vulnerabilities A component manager provides complete visibility into what binaries have been downloaded from public repositories. Problematic components (e.g., risky license types, security vulnerabilities, out-of-date versions) are identified through automated Repository Health Checks, using continuously updated, proprietary Sonatype data feeds.

2 Enhance security A repository manager brings additional levels of security to development operations including support for single sign-on, role-based access controls, secure connections to the Central Repository, and LDAP support. Strengthen continuous delivery via staging Software development teams can post a collection of related, staged artifacts to the repository manager which can be tested, promoted, or discarded as a unit. The staging capabilities support improved releases to a production system, including build sign-offs or re-deploying new builds after last minute problems were found. Enforce component usage policies With knowledge of problematic components, Nexus Pro CLM edition enables organizations to begin establishing, monitoring and enforcing policies for binary usage across the primary, proxy, and staging repositories. Integrating with all major build tools: Apache, Maven, Ant, Gradle, Ivy, SBT, Leiningen, Gant/Grails, and others. Nexus OSS is ideal for smaller groups or for organizations that do not have the need for sophisticated component management. Nexus Pro Building on the extensive feature set of Nexus OSS, Nexus Pro adds robust staging, collaboration, and security capabilities in addition to enterprise-level support for more demanding repository management requirements. Whether an organization has thousands of developers distributed around the globe, or smaller teams with demanding requirements, Nexus Pro delivers immediate game-changing developer efficiencies, such as: Smart proxying to provide immediate availability of upstream artifacts in downstream Nexus instances Build promotion and staging support Nexus is super easy to set up and update. You ll waste time trying to find another way to manage your binaries. Development of Nexus is very active, the support is awesome and all the features you d need are there. Alexis Morelle, Software Factory Architect, Alcatel-Lucent Secure access and permissions through LDAP or Crowd integration, user tokens, and single sign-on Repository Health Checks ensure continuous, up-todate evaluations of license and security risks Staging repositories used to improve the quality of releases and enforcement of open source policies Support for the most common component formats including Java, npm, NuGet, with more coming soon Expert technical support with documented Service Level Agreements (SLA) Benefits of Nexus OSS Stage Beta Release Nexus OSS can be used to store and retrieve downloaded components and their metadata. Custom binaries can also be managed with Nexus OSS. Nexus OSS is a robust and reliable choice for basic component management functionality including: Development Storing and retrieving binary components QA Testers Select Customers General Public Caching and proxying remote component repositories to improve build speeds Post a collection of related, staged artifacts which can be tested, promoted, or discarded as a unit. Page 2

3 Nexus Pro Repository Health Check Nexus component managers can use the built-in Repository Health Check feature for visibility and reports highlighting component license risks, security vulnerabilities, and quality characteristics. Nexus provides seamless REST-based services and integration with the most popular development tools. Nexus Pro CLM Edition Nexus Pro CLM allows greater control over component usage by helping define, monitor, and enforce open source policies. Component governance features automated policy management and approvals enabling organizations to better manage release processes using the repository manager. Nexus Pro CLM capabilities includes: As developers download artifacts, they may be unknowingly choosing binaries with problematic license types or critical security vulnerabilities that might expose the business to intellectual property risks or applications to known exploits. Nexus Professional regularly scans components to provide an up-to-date view of risk exposure. Health checks can now be enabled for all types of proxy repositories supported by Nexus (e.g., Maven, P2, Nuget, OBR, Yum). All Nexus Pro features, plus: Automated Repository Health Checks while available to Nexus Pro users, repository health checks provide visibility to risky, vulnerable, or poor quality components. With this visibility, Nexus Pro CLM users can begin to define policies for when use of those components is acceptable through staging and promotion. Policy editor define rules for open source component use related to application types, license risk, security vulnerabilities, architecture, popularity of component use across the developer community, etc. Constraints and actions (e.g., fail, warn, do nothing, notify) can be configured in the editor. The Nexus Pro Repository Health Check provides automated and continuously up-to-date licensing, security, and quality data to help developers improve the quality of applications they deliver. Policy alerts any time a rule is broken, a policy violation occurs. Violations automatically trigger defined alerts or actions, including details regadring the number and severity of violations discovered. Detailed component information when searching for components, Nexus Pro CLM provides visibility to internally defined policies violations related Page 3

4 to security vulnerabilities, license risks, component versions, and use popularity. When violations are noted, views to alternative component versions are readily available to help mitigate the risk and help developers comply with the policy. Policy-based promotion and staging to ensure any releases produced are automatically validated and enforced against internal open source policies based on component license, security, or quality characteristics. Violations can trigger warnings, notify specific personnel, or even prevent a release. It is impossible to do serious development without a repository manager. And the only one on the market that is serious is Nexus. Arnaud Heritier, Software Factory Manager, eo The component information panel in Nexus displays security vulnerabilities, license risk, artifact age and popularity, and more. Page 4

5 Features Comparison Nexus OSS Nexus Pro Nexus Pro CLM Storage and Retrieval of Binary Artifacts Deployment of Custom Binaries Smart Proxies Technical Support Authentication and Access Control Secure Delivery Comprehensive Repo and Build Tool Support Hosted and Group Repositories Robust Search Policy Configurations Policy Enforcement Build Promotion and Staging Policy Alerts and Actions Automated Repository Health Checks Multiple Repository Formats Multiple Component Formats Basic Advanced Advanced Advanced Advanced Manual Automated Basic Advanced Basic Advanced Advanced Basic Basic Advanced Easily store and retrieve binary artifacts to speed development efforts. Custom binary support enables management of internal development efforts in the same repositories as externally sourced components. Internal proxy repositories act as mirrors that can be located near the consuming developers, reducing access time and improving availability. Live tech support with guaranteed service level agreements to help with configurations, upgrades, and more. Basic support includes LDAP and fine-grained access control. Advanced includes Enterprise LDAP and Crowd support, as well as SSL certificate management and user token support. SSL secures the delivery channel from the Central Repository helping to eliminate man-in-the-middle Robust build and repo support (Maven, Ant/Ivy, Gradle) extends value of Nexus. Single virtual location for sharing and publishing artifacts speeds development. Basic search facilitates component identification and selection. Advanced capabilities include search custom metadata. Ability to define, configure and customize policies for multiple organizations and applications. Define policies to codify security, licensing and quality standards at various enforcement points. Enforce policy to ensure that security, license and quality standards are met. Improve development processes and collaboration with managed promotion and stage across the software development lifecycle. Advanced level promotions can be driven by CLM policies. Enforce policies with active (e.g., prevent staged build from being promoted) or passive (e.g, notifying specific people) actions. Advanced health checks provide reporting on all known component versions and their associated licenses, security vulnerabilities, popularity. Basic health checks provide a summary of risks, but not down to the individual component details. Comprehensive repository support for Maven, NuGet, OSGi, Yum, and P2. Nexus instances are repository format neutral and include support for Maven, npm, NuGet, RubyGems, APT, and others. Check the Nexus roadmap for timing and availability of additional formats. Advanced capabilities include policy management of specific components. Page 5

6 Get Started Today Join the Sonatype Nexus community to learn, engage and share Nexus tips and trick with peers and experts worldwide. Check out the fresh new articles, Nexus Live video chats with our development team, try your hand at a Nexus two-minute challenge videos, enhance your skills with free video training, and peruse the latest Nexus Now newsletters. Find the community at For a 14-day free trial of Nexus Pro, please visit No credit card is required. Just download and go! Sonatype focuses on the challenge of creating a secure software supply chain. Today, developers rely on millions of third party and open source building blocks known as components to build up to 90% of a typical application. These components are downloaded from the internet, without controls, allowing components with known security vulnerabilities and/or licensing risks to be built in to newly developed software. And unlike a manufacturing supply chain, these components are not tracked throughout their lifecycle for update or recall. Sonatype uniquely identifies all components and integrates data about known security, license and quality risks into the tools developers use every day, so risky components can be easily avoided and defects repaired early in the development process. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: Sonatype Inc Maple Lawn Blvd, Suite 250 Fulton, MD Sonatype Inc. All Rights Reserved.