News

Tool Analyzes Open Source Components in Your Java Apps

• By John K. Waters
• July 25, 2012

Sonatype, a provider of so-called Component Lifecycle Management (CLM) solutions, on Wednesday launched a new on-demand service that analyzes the open-source components that increasingly comprise enterprise Java applications for security, licensing and quality problems.

The company is billing its Insight Application Health Check as a service that allows users to "pull back the curtain on the true contents of their applications."

The widespread reuse of software libraries and components to create applications can make it difficult to know exactly what's in them, observed RedMonk analyst Stephen O'Grady in a recent interview. Sonatype estimates that around 80 percent of a typical modern Java application is built with open source components. And a survey of 2,500 developers, architects, and IT managers conducted earlier this year by the company found that many organizations are adopting open source at an accelerated pace without commensurate controls. Only 32 percent of those responding to the survey maintain inventories of open-source components used in production apps.

"So you've put your product together with all these building blocks, but how do you manage the composition of what your product is?" asks Sonatype CMO Charles Gold. "How do you understand if there are potential problems lurking in your application?"

The Sonatype answer to that question is a new service designed to provide a quick means of determining final application composition. The Application Health Check service can be used for analysis of applications during and prior to development, and for spot checking apps received from external suppliers. Users can employ the service to generate a summary report that includes a breakdown of every component in an application and provides a series of alerts of potential security and licensing problems. That report is free; for a fee, users can get a report that drills down and explores specific vulnerabilities. A sample report can be found here.

The new service is part of the company's larger Insight suite of products and services designed to help companies better manage their usage of open-source Java components. All of the company's CLM products suite leverage the open-source Maven Central Repository, which the company administers, to generate actionable intelligence about open-source-software usage at any stage of the application development process.

"The notion of CLM broadly is to help you manage this very complex supply chain," Gold told ADTmag, "where you're bringing in components from tens or even hundreds of projects, assembling them, integrating them, and writing only a little bit of the business logic. It's about managing those components throughout the lifecycle, from selection, to development, through build and into production."

"What we think we've done here," Gold added, "is to democratize the access to this kind of information with an intuitive interface that anyone can use. You don't need expensive scanners that take days to run and then provide noisy and not especially user-friendly results. Basically, anybody who wants to understand application composition can do it."

Sponsored and licensed by the Apache Software Foundation (ASF), Maven is an open-source framework and repository for building and managing any Java-based project. It started as an effort to simplify the build processes in the Jakarta Turbine project (a servlet based framework that helps Java developers quickly build Web applications). Based on the concept of a project object model (POM), Maven can manage a project's build, reporting, and documentation from a central piece of information. The project's goal today is to allow developers to comprehend the complete state of a development project in the shortest period of time.

More information on the service is available on the company's Web site here.