In June, Sonatype announced the acquisition of Vor Security to extend their open-source component intelligence solutions’ coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++.
Sonatype, well known as the creators of artifact repositories Apache Maven and Nexus, have extended their previously Java, JavaScript, .Net and Python centric component intelligence capabilities to include the new open-source ecosystems. The new capabilities are packaged in a new product, Nexus Lifecycle XC and, like the existing Nexus Lifecycle product, are delivered via the Nexus IQ server.
Vor Security founder and CEO Ken Duck was responsible for creating the OSS Index, a free online index of known open-source software vulnerabilities. The index currently contains over 2.1 million packages and information on more than 120,000 vulnerabilities across a number of open-source ecosystems. Duck will join the product and engineering team at Sonatype.
Matt Howard, Sonatype CMO, told InfoQ:
Organisations value precision and accuracy in a DevOps context as well as breadth of coverage. This acquisition allows us to put more space between commodity products that tend to create high levels of false-positives – this acquisition tackles the criticism that we are narrow in our scope and broadens our capability. This is a win-win component intelligence engine. DevOps customers can comfortably break builds knowing the intelligence is right and waterfall customers can generate a bill of materials. We won’t be resting on our laurels – we’ll keep on investing time to curate the data for all these ecosystems and keep developing precision and accuracy. Initially, Nexus XC will be a free stock intelligence service available to Nexus Lifecycle customers.
The DevOps movement has spawned a subset, DevSecOps, whose concerns include shifting security left in the software development and delivery lifecycle and making security part of everyone’s job. Tools like Nexus Lifecycle allow developers to receive component intelligence in their integrated development environments (IDEs) as they compose applications and make informed changes to reduce the number of vulnerable components that make it through the route to live onto production platforms.
Details of the financial terms of the acquisition have not been disclosed.