News

Sonatype Leverages Open Source Java Repository

• By John K. Waters
• September 22, 2011

Sonatype this week launched a new suite of products and services designed to help companies better manage their usage of open source Java components. Called Sonatype Insight, it leverages the open-source Maven Central Repository, which the company administers, to generate actionable intelligence about open-source-software usage at any stage of the app-dev process.

"The analysts will tell you that having an open-source governance or management program in place is the only way to ensure positive ROI from the use of open source," said Sonatype CMO Charles Gold. "And yet when we talk to developers -- not senior-level executives, but the people who are actually on the ground -- they're telling us that there are no standards in place at all, or that they have standards, but they're unenforceable, so they ignore them."

"This reminds me of the early days when I was at Red Hat and we'd talk to executive management and they'd say, 'Yeah, we're using Linux in some corner case workloads, some file and print servers,'" Gold added. "Then we'd go talk to developers and find that Linux was all over their enterprise, and running mission-critical workloads."

Commenting on this phenomenon earlier this year in a white paper ("A CIO's Perspective on Open-Source Software," Jan. 31, 2011), Gartner analyst Mark Driver wrote, "Above all other considerations, the primary factor in balancing risk versus reward from open source software assets hinges on the successful execution of an enterprise open-source governance program."

A recent analysis by Sonatype of the use by Global 2000 companies of open source Java components from the Central Repository revealed that virtually all industries, from retailing to aerospace, are dipping into the Repository. Global 10 banking organizations accounted for 2.6 million downloads and Global 100 software vendors accounted for 1.1 million.

This level of usage defies manual analysis, argues Sonatype's EVP of products Larry Roshfeld.

"Keep in mind that just ten years ago, the goal of most IT shops was to prevent open source from coming in," Roshfeld said. "Now that it's in the enterprise, organizations want to make that sure they're using the highest quality components, not unwittingly exposing themselves to security problems, and they want to know that they're not going to run into an IP or licensing problem."

One of the things that makes governing these components difficult, Gold said, is the nature of Java itself -- its deep transitive dependency creates vulnerabilities.

"Java components depend on other components, which may depend on tens of other components," he said. "You can have a problem lurking deep in a dependency tree that you're absorbing into your enterprise completely unwittingly."

The Insight suite tackles the problem with three integrated products designed to support component-based development and provide reporting and management capabilities for app managers, legal and compliance execs, info security people and IT leadership.

Sonatype has been in the news recently for partnering with Oracle and Red Hat to move project artifacts from Java.net and the JBoss Community to the open source Maven Central Repository, which Sonatype administers.

More information about Sonatype Insight is available here.