Sonatype has launched Insight Application Health Check, an application component analysis designed to assess the integrity of open-source components at every phase of the software lifecycle. As a Component Lifecycle Management (CLM) player, the company says that this is a means of understanding the potential risks and opportunities associated with each component in use.
NOTE: The company says its services go deep to find flawed components, even when they’re hidden in an application’s dependency tree.
Citing figures which report that more than 80 percent of a typical Java application is assembled from existing open-source components and frameworks, Sonatype warns that “most organizations” have only a limited understanding of the true composition of their most critical applications — which can leave them exposed to potential security, quality, and intellectual property risks.
These tools are intended for both individual developer, compliance officers (if they exist), or other “application lifecycle stakeholder”, which is vendor language for “anybody at all”. The on-demand service works to analyze the composition of software applications and show visibility into previously unknown risks caused by incorporating what Sonatype wants to label as “problematic” open-source components.
Users can generate a free summary report that provides a breakdown of every component in the application and alerts them to potential security and licensing problems. To drill down and explore specific vulnerabilities, there is a cost.
“Up until now, organizations either had to deal with technical and business risks or invest in expensive and cumbersome scanning technologies and consulting engagements,” said Wayne Jackson, CEO of Sonatype. “Now they have an
affordable alternative that yields results in minutes versus days and weeks.”
All Sonatype CLM products leverage the Central Repository — the software industry’s repository for open-source software (OSS) components used by more than 60,000 organizations and containing more than 400,000 Java components from all major open-source projects.
As independent as this is, Sonatype is in fact the principal caretaker of the Central Repository.