Sonatype: what dependency management did next (generation)
Sonatype describes itself as the company that scales DevOps through open source governance and software supply chain automation.
Quite a mouthful, yes, but the firm is extremely developer-focused and runs some heavy code competencies through its platform and wider system stack.
The company’s latest Advanced Development Pack is designed to change how teams manage code dependencies.
Designed after studying development and cybersecurity hygiene practices across 30,000 software teams, this new offering available to Nexus Lifecycle (the company’s software supply chain product) customers, ensures developers select the highest quality OSS components in their applications.
The pack’s dependency management enables developers to choose components based on project quality, ease-of-upgrade and advanced knowledge of abnormal committer behaviour.
Care about cadence
Sonatype says its software helps programmers understand the performance of OSS projects they are choosing when it comes to release frequency, cadence of dependency updates, development team size and popularity – helping guide choices to a higher quality pool of components.
Estimates suggest that over two thirds of developers are regularly impacted when dependency upgrades break the functionality of their application.
“As a developer myself, my aim has always been to deliver the highest quality code to customers in the shortest period of time. But when breaking changes, compliance issues, version control, and cybersecurity vulnerabilities pop-up, delivery timelines are challenged. By reducing these speed bumps to delivery, we’re going to make a lot of developers happier and enable them to spend more time innovating and less time fixing their code,” said Brian Fox, CTO of Sonatype.
Enhanced capabilities include: ‘Release Integrity’ – an early warning system using AI and ML to automatically identify and block next-gen software supply chain attacks relying on typosquatting and malicious code injection.
Also here is Component Chooser – think of this as Google for open source – it is an engine that helps developers search and compare OSS components in order to select the highest quality options. Component quality takes into account the project’s hygiene rating, security and license compliance, and awareness of where else the component is being used within the developer’s organisation. This feature – currently in beta – will be generally available in 2021.