Clearly and easily assess open source risk.

Sonatype helps you build better, safer software even faster with the Nexus platform of Software Supply Chain solutions. Nearly 90% of the typical application is assembled with open source or 3rd party building blocks known as “components.” Research shows that at least one critical vulnerability exists in 71% of these applications. The open source analysis integrated into Fortify on Demand empowers users to have complete visibility into risks associated with open source and third party components in their applications. This Software Composition Analysis (SCA) is fueled by Sonatype’s Nexus Lifecycle solution.

Upload, test and review. In just five minutes.

Open source risk analysis is done in just three easy steps. Upload your code to Fortify on Demand, request the “Open Source by Sonatype” analysis and it’s delivered back to you in just a few minutes. With easy access in your dashboard, you can view the list of applications that are using a particular component and drill down to an application – either from the Sonatype grid or from anywhere else in the portal for a summary of the components found by Sonatype review. From there, drill further into an interactive report to get the rich set of info, also provided by Sonatype. This 8-10 page report features easy-to-read charts detailing the known open source and third party component vulnerabilities responsible for security, license and quality issues in your application.

See a sample of the report. Read the product brief.

Why is open source analysis important?

Despite widespread dependence on open source and third party components to quickly assemble today’s applications, most organizations don’t have a clear picture of the overall quality of these components, including known security vulnerabilities or restrictive licenses. Without appropriate visibility to the parts flowing into this ‘software supply chain,’ outdated and defective parts are often used when better versions have been available for years.

Learn more about software supply chain inadequacies in this eBook, Hidden Speed Bumps on the Road to "Continuous.”

Who is Sonatype?

Sonatype makes it easy to create trusted applications and keep them that way over time. More than 60,000 customers rely on Sonatype to manage their open source, proprietary and third party components. Sonatype's Nexus Lifecycle solution empowers developers to select the best components early in the software lifecycle and easily remediate known vulnerabilities. Plus, policy automation, ongoing monitoring, and proactive alerts ensure these applications remain secure over time.

Learn more at

Additional Resources