Sonatype Acquires Vor Security to Expand Nexus Open-Source Component Support

| by Helen Beal Follow 4 Followers on Jun 30, 2017. Estimated reading time: 1 minute |

In June, Sonatype announced the acquisition of Vor Security to extend their open-source component intelligence solutions’ coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++.

Sonatype, well known as the creators of artifact repositories Apache Maven and Nexus, have extended their previously Java, JavaScript, .Net and Python centric component intelligence capabilities to include the new open-source ecosystems. The new capabilities are packaged in a new product, Nexus Lifecycle XC and, like the existing Nexus Lifecycle product, are delivered via the Nexus IQ server.

Vor Security founder and CEO Ken Duck was responsible for creating the OSS Index, a free online index of known open-source software vulnerabilities. The index currently contains over 2.1 million packages and information on more than 120,000 vulnerabilities across a number of open-source ecosystems. Duck will join the product and engineering team at Sonatype.

Matt Howard, Sonatype CMO, told InfoQ:

Organisations value precision and accuracy in a DevOps context as well as breadth of coverage. This acquisition allows us to put more space between commodity products that tend to create high levels of false-positives – this acquisition tackles the criticism that we are narrow in our scope and broadens our capability. This is a win-win component intelligence engine. DevOps customers can comfortably break builds knowing the intelligence is right and waterfall customers can generate a bill of materials. We won’t be resting on our laurels – we’ll keep on investing time to curate the data for all these ecosystems and keep developing precision and accuracy. Initially, Nexus XC will be a free stock intelligence service available to Nexus Lifecycle customers.

The DevOps movement has spawned a subset, DevSecOps, whose concerns include shifting security left in the software development and delivery lifecycle and making security part of everyone’s job. Tools like Nexus Lifecycle allow developers to receive component intelligence in their integrated development environments (IDEs) as they compose applications and make informed changes to reduce the number of vulnerable components that make it through the route to live onto production platforms.

Details of the financial terms of the acquisition have not been disclosed.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you