Getting Started with Sonatype

Quickly and easily gain full visibility and control over open source and 3rd party components used in your applications with our open source risk management tools. 

Does your organization develop applications? Then you are probably using open source software (OSS) components – and you’ve come to the right place. In fact, research shows that 90% of an average application is assembled with open source components downloaded from public repositories, such as the (Maven) Central Repository.

Open source has clearly fueled a lot of innovation in recent years, however open source usage can be hard to manage and also introduces your organization to unnecessary risk.

Most organizations can't answer basic questions like:

  • What open source components are being used?
  • Where are these components being used?
  • What is the "Bill of Materials" for my application?
  • Am I using open source components with known vulnerabilities?
  • What are the security, licensing and quality risks for each component in my application?

Avoid open source risk.
It's the easiest thing you can do to close a huge security gap. Fast.

Some application security challenges just can't be avoided, and unfortunately they often take a long time to identify and remediate. But open source risk, which can be quite serious, is easily avoidable with the right tools.

Use automation to control
what’s in your software.

27,000 open source components are downloaded every hour of every day. Automated inventory and monitoring of risky components must be a mandatory part of modern software development.

Avoid open source risk.
Stop using vulnerable components.

Make it easy for developers to choose the safest, highest quality open source components. Open source governance and security must be integrated into the tools developers use every day.

Know what and where new
vulnerabilities affect you.

With continuous monitoring, you'll instantly know which applications are affected when new vulnerabilities are discovered and learn which component versions are safest. With CLM, open source governance is built in, not bolted on.

Accelerate development while reducing open source risk.
From the start, developers can easily avoid:

Security Risk
Identify precise threat levels for each component and dependencies based on Sonatype's proprietary 4-part CVE curation process. We make CVE alerts easily actionable.

License issues
Discover declared and observed component licenses which are incompatible with your organization's policies. Automate policy enforcement and manually manage only the exceptions.

Quality concerns
Choose the better quality component based on factors such as age and popularity. Not all components are created equal. Developers can easily make the smartest choice from the start.

See a tour of Sonatype CLM

At-a-glance: Nexus Repository Managers

An upgrade to the Nexus Professional repository manager enables development teams to enjoy the benefits of agile component-based development in a streamlined and structured environment. Three versions of Nexus are available:

Nexus OSS

A basic, community version of a Nexus repository manager available at no charge.

Learn More

Nexus Professional

An enterprise class repository manager with enhanced features and support, including:

  • Smart proxy to enable sharing and management of components across the enterprise
  • Full support to cover installation, configuration and usage.
  • Staging and promotion to test, promote or discard for near continuous delivery
  • Repository Healthcheck to identify components with security, license and quality issues

Nexus Professional CLM Edition

Upgrade to the Nexus Professional repository empowering developers to easily choose the best components from the start with component intelligence built into the build and release process. Ensure that your applications meet security, licensing and quality standards before they advance through the release management process.

Learn More

Component Lifecycle Management to offer a new way to identify, manage and monitor every component and its dependencies throughout the software lifecycle. CLM enables organizations to realize the promise of agile, component-based software development while avoiding security, quality and licensing risks.

Sonatype CLM for Risk

An introductory solution to help you quickly and proactively identify the component security, licensing and architecture risk in your applications— especially those already in production, including:

  • Create a full "bill of materials" for each application and a consolidated inventory of components across applications
  • Identify and visualize overall security, license and quality risk at the component and application level
  • Continuously and automatically monitor for new risks, including risk alerts that pinpoint which applications are at risk.

Learn More

Sonatype CLM for Risk & Remediation

A complete solution to achieve governance across the entire software lifecycle. Includes Nexus Pro and CLM for Risk, plus the ability to:

  • Find and fix risky components early in development using tools developers use every day
  • Centralize, automate and enforce policies to ensure risks are managed throughout the software lifecycle
  • Achieve defense-in-depth with multi-point policy across the entire software lifecycle
  • Streamline DevOps efforts with release management policies

Which product is right for you?

Assess your current application risk in 2 minutes – it’s confidential and free.

As a free community service, Sonatype offers a proprietary application analysis tool you can use to identify potential open source related risk. It’s an easy first step toward open source risk management. Use our Application Health Check to:


  • Confidentially and quickly analyze your java open source components
  • Create a "bill of materials" inventory of precisely which components are used and where
  • Identify specific security, quality and license risks
  • Analyze both internal and third party applications
  • Determine if your current open source governance policies & procedures are working

Learn More & Start Your Analysis