Take a Tour

Component Lifecycle Management (CLM)

Trusted by...

of the top credit card companies

of the top banks

of the top IT equipment

of the top aerospace


Two CLM Product Options

CLM for Risk

Ideal for current and ongoing visibility into open source risk across applications.

CLM for Risk & Remediation

Ideal for complete open source component management across the software lifecycle.


Precisely Identify Components & Risks

Identify risks before they are built into your software:
  • Patent-pending advanced binary fingerprinting identifies all open source software and proprietary components, as well as their dependencies
  • Determines which components are an exact, partial or modified match

Learn more

Create an Application Bill of Materials

Gain visibility into the risk in your software supply chain:
  • In just minutes, get a complete inventory of all components used in any application
  • Determine specific components and their dependencies by name, including any associated security, license and quality risks

Learn more

Remediate Risks Early in Development

Deliver active component intelligence throughout the Software Development Lifecycle (SDLC):
  • Integrated with existing developer tools, e.g. Eclipse, Jenkins, Bamboo, Sonar and many more
  • Highlights which components violate your policies
  • One-click remediation allows developers to easily migrate to a safer version
  • Supports SDLC with 'built-in' vs. 'bolt-on' security, eliminating time and frustration of late testing

Learn more

Automate Policy Throughout the SDLC

Resolve priority defects at the earliest opportunity:
  • Automate policies to build an effective, secure software development lifecycle
  • Utilize 'out-of-the-box' policies to gain an immediate view of security, license and quality risk
  • Replace manual workflow and the burden of manual reviews
  • Catch vulnerabilities at any stage of the SDLC including consumption, development, continuous integration (CI), staging and production

Learn more

Manage Risk with a Consolidated Dashboard

Define risk in highly consumable formats:
  • Executive dashboards display aggregate risk across apps, projects and/or components
  • Filter by applications, policies and SDLC stages
  • Utilize risk ranking to prioritize triage efforts

Learn more

Continuously Monitor Apps for New Risks

React to new threats decisively and precisely:
  • Use our automated early warning system to identify new risks in your component inventory
  • Be alerted of new risk based on newly published vulnerabilities for all monitored components
  • View new vulnerabilities in dashboard based on component, risk level or applications affected
  • Improve incident response times with precise identification of components and apps to be remediated

Learn more

Actionable, Developer-ready Security Data

Unique 4-step curation process makes National Vulnerability Database (NVD) data accurate and actionable:
  • Precise root cause of the issue and component dependencies are identified
  • Further analysis determines when the issue is relevant*
  • Developers can easily identify the exact vulnerable component in their repository
  • 2-4 hours of research is dedicated to every CVE (Common Vulnerability Enumeration) in the NVD
*Coming throughout 2014-2015

Learn more

Multi-Format Component Support

The convenience of one tool to manage and reduce your open source risk across all major languages.
  • Supports the most common component formats including Java, NuGet, NPM, Gems, PyPi, Cpan, etc.*
  • Comprehensive repository support for Maven, NuGet, OSGi, Yum, and P2.
*Coming throughout 2014-2015

Learn more

Request a CLM Evaluation Copy and in 1 hour, answer these questions ...

  • What components are used in your applications?
  • Which applications have the greatest component-based security, license and quality risk?
  • Have your current open source policies, golden repositories, whitelists and other processes been keeping you safe?
  • Which risks pose the greatest threat to your organization and how should they be prioritized for remediation?

I'm interested in Sonatype CLM. I want to...

Explore further...