Sonatype, the main company which drives Maven development, has joined a growing list of companies which aim to help organisations understand and audit their open source software usage, with the announcement of the Sonatype Insight software suite.
The suite comprises three modules - Management Insight, Application Insight and Development Insight. Collectively these tools provide an analysis of what types of open source components enterprises are using in their software, and they also show where that software came from and what licensing should be used. In addition, the Sonatype package can provide a view into what, if any, software already installed on servers could clash with new open source components, thereby limiting the risk of a system failure or other potential business loss.
Whilst the suite is tool agnostic, supporting Maven, Ant, Eclipse, Jenkins, Hudson, and others, it relies on Maven's Central Repository, which has been maintained and financially supported by Sonatype since 2007. Central currently contains more than 300,000 Java components (approaching 90% of open source Java projects) and is, according to figures released from the vendor, used by 42,000 development organisations per month, including more than half of the Global 2000.
Given this reliance on the Central Repository, its integrity is clearly paramount. "There are multiple layers of security that protect the integrity of the Central Repository," Larry Roshfeld, EVP of products at Sonatype told us, continuing:
These include controls over who can contribute a component, verification of the components as they are added to the Central Repository, physical security of the servers that host the Central Repository, and digital signatures that allow users to ensure that the components that they use have not been altered. Given the critical role of the Central Repository in the software development processes of so many organizations, as a matter of policy we don't publicly discuss security details.
Open source components have become pervasive in the enterprise. By 2016, according to Gartner's "A CIO's Perspective on Open-Source Software" report, they will be included in mission-critical software portfolios within 99% of Global 2000 enterprises - up from 75% in 2010.
The analyst firm has long argued that open source software is not without risks. Writing on the topic in 2008, Laurie Wurster, Research Director at Gartner, stated
Just because something is free doesn't mean that it has no cost. Companies must have a policy for procuring OSS, deciding which applications will be supported by OSS, and identifying the intellectual property risk or supportability risk associated with using OSS. Once a policy is in place, then there must be a governance process to enforce it.
Mark Driver, Research Vice President, Gartner, makes a similar point in the aforementioned CIO Perspective report:
Without a governance program and an accompanying management policy, the IT organization cannot hope to manage, audit or track open-source assets that come into or leave the enterprise, and it cannot measure the appropriate use of open-source assets within the broader IT portfolio. At best, an IT organization can simply react tactically to risks (e.g., catastrophic technical failures) after the fact.
The Linux Foundation, along with several other organisations and software companies, is working on a machine-readable license packaging standard called SPDX (note the domain is down at the time of writing), which will help determine what licenses and software components are associated with each package. This standard is being supported by a variety of code-scanning companies, such as Black Duck and Protecode, which provide programs that allow vendors to scan their software during the production phase to ensure that whatever is deployed to end users is licensed appropriately. Sonatype supports the standard, Roshfeld told InfoQ, but
it is not yet widely implemented among the 300,000+ open source components that we track. Consequently, we use a number of different techniques to identify component licenses, including scanning the POM (Project Object Model) for Maven based projects, and scanning sources for all projects.
Insight differs from the the majority of code scanning tools in that it is intended to be integrated directly into software development at every stage of the process. Roshfeld told us
Scanners such as Black Duck are typically brought in by legal or compliance at the end of the software development lifecycle. They typically take quite a long period to run, generate an enormous amount of information, and require a lot of manual research to determine if there are real problems in the code. And when problems are identified, they require significant rework by the development organization, increasing project costs and impacting delivery schedules. By contrast, Insight is designed for developers and development management -- it's fast and precise and helps you find problems all along the way. Many of our customers use both Insight and a scanner.The other key point is that we are the stewards of the Central Repository where most developers go to get their open source components. This is a unique vantage point and makes us both consumption aware and update aware -- we can help you understand exactly what you're downloading, and when and why a component has been updated.
Management Insight and Development Insight are priced based on number of users. Application Insight is based on number of applications analysed and monitored. A typical customer can get started for an annual subscription of less than $20,000, according to Sonatype.