Sonatype offers software engineers control of InnerSource components

Sonatype is a software supply chain management company that has been gaining increasing traction in recent months.

The company has now announced a capability focused on identifying and remediating InnerSource components that contain vulnerable, malicious, or outdated open source dependencies.

InnerSource Insight make it easier and safer for developers to use software components created by others within their organisation as part of their software supply chain

With InnerSource Insight, developers can easily manage their InnerSource components, see what open source packages they’re dependent on, remediate concerns immediately and identify safe upgrade paths that won’t break builds.

InnerSource is a rapidly growing term used to describe proprietary software parts developed internally following practices and processes typically used in open source development. This means everyone in an organization has access to development artifacts, code and documentation. Teams are encouraged to use and contribute to these components as part of the application development lifecycle to save time, prevent rework, and build better software. 

“Over the past 15 years that we’ve been helping engineering teams understand, manage, and protect their software supply chains, organizations have come to understand the inherent risks of using open source software and the need to monitor it,” said Brian Fox, co-founder and CTO of Sonatype. “What’s less known is that increasingly, dangerous open source components slip into applications through these shared internal components called InnerSource. We’re helping organizations remove that risk by making it possible for developers to manage InnerSource components the same way they manage open source.” 

InnerSource components are utilising, in some occasions, up to hundreds of other open source and InnerSource components that often have company policy violations that are difficult to trace and to remediate.

Sonatype’s InnerSource Insight, previously available in beta, but now open to all customers of Sonatype’s Nexus Lifecycle, helps developers and security teams: 

  • Decrease manual rework, by easily identifying InnerSource components and taking action to remediate concerns or company policy violations within their dependencies 
  • Save time by quickly seeing all the different versions of an InnerSource component in an easy-to-read graphic, to then determine the most up to date version you should be using 
  • Effortlessly integrate with CycloneDX, making it possible to track, update and remediate InnerSource components in 120+ tools and languages 

Sonatype says that its platform addresses every element of an organisation’s entire software development life cycle, including third-party open source code, first-party source code, and InnerSource code. Sonatype identifies critical security vulnerabilities and code quality issues and reports results directly to developers when they can most effectively fix them.

One of the company’s biggest ‘takeaway’ statements is: software supply chain management is complex and difficult, but it’s also about decreasing innovation tax, technical debt, and increasing employee happiness, productivity and revenue.

Image: Sonatype