Sonatype’s sonar-smart sonata for open source

Nobody quite knows why Sonatype is called Sonatype, the developer-friendly tools specialist for software supply chain automation and security doesn’t make a song and dance about its moniker.

Sona of course means ‘gold’ or ‘wisdom’ in various forms as a female given name, a variant of it in ancient Celtic means ‘well-grown’ and then there is sonar for navigation, or perhaps sonata, a large scale musical works composition.

The company is a core contributor to Apache Maven (a software build automation tool) and supports the world’s largest repository of open source components (Central), while also distributing the Nexus repository manager.

Over time, Sonatype CEO E. Wayne Jackson says the company tracked the ‘staggering volume and variety’ of open source libraries in every development environment in the world. In this regard, it says it understands that when open source components are properly managed, they provide energy for accelerating innovation. 

Conversely, when unmanaged, open source gone wild or rouge can lead directly to security vulnerabilities, licensing risks, enormous rework and waste.

Open source means ‘give back’

As an open source purist, Sonatype insists that it has a fully evolved mission to give back, support, and help protect open source ecosystems. 

“As the maintainers of the largest repository of open source components in Maven Central, we have a view into how great the demand for open source has become. However, as that demand has grown, bad actors have recognised the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this new battle,” said Brian Fox, CTO of Sonatype.

One of the key missions at Sonatype is to help organisations continuously harness all of the good that open source has to offer, without any of the risk. 

In recent months the company has established new (and bolstered existing) bonds with institutions including the Open Source Security Foundation, the OpenChain Project and the Python Software Foundation.

A ladder-up for Python

Sonatype CEO E. Wayne Jackson: When open source components are properly managed, they provide energy for accelerating innovation.

The mission of the Python Software Foundation (of which Sonatype is a sponsor) is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. With 310,000+ packages on PyPi totaling over 435 million yearly downloads, the Python Software Foundation is focused on cherishing the tooling and infrastructure needed for one of the world’s largest programming languages.

The company provides free Python security tools and predictive vulnerability intelligence against malicious packages targeted to the PyPI ecosystem. 

By using machine learning and AI to continuously scan all new releases of Python components to detect malicious activity before it hits development machines, Sonatype is reporting findings to PyPI to proactively uncover and remove malicious packages… and this is using Sonatype’s Release Integrity capabilities.

The Open Source Security Foundation (OpenSSF) is a cross-industry collaboration focused on metrics, tooling, vulnerability disclosures, security tooling, best practices etc. to secure the open source ecosystem and improve the security of open source software (OSS). 

Sonaytpe is part of the foundation’s efforts to bring together leaders from around the world and create a provide a forum for collaborative, cross-industry efforts. 

When it officially joined OpenSSF last year, Sonatype said it was committed to collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.

OpenChain Project

The OpenChain Project maintains the International Standard for open source license compliance which allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance programme. 

Sonatype’s engagement with this organization focuses on raising awareness among user companies regarding open source license compliance and security, while ensuring they have freedom of choice when considering commercial automation solutions around ISO/IEC 5230 conformance activities. 

ISO/IEC 5230 is the International Standard for open source license compliance.

… and finally, as your closing moment of Zen, Sonatype is called Sonatype (we are reliably told) because ‘sona’ does indeed mean ‘gold’ and ‘type’ means ‘standard’ so bring them together and you get the ‘gold standard’, simple really.