Take a Tour

Component Lifecycle Management (CLM)

Reduce risk in your critical applications by managing the software supply chain. Sonatype CLM provides the support needed by the development, security, operations and legal/compliance teams.

Sonatype speeds the development lifecycle by integrating guidance directly in the tools that are used to develop, build, and deploy software solutions. Sonatype extends that trust into the operations by providing ongoing monitoring and remediation for production applications.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Empower developers to choose the right components from the start

  • Use comprehensive component intelligence to drive action
  • Start with the right components
  • Ensure component integrity throughout the lifecycle

Empower developers to choose the right components

By preventing problems up front you will expedite the development process and eliminate costly rework later in the cycle. Given the volume & complexity of components – including factors like security, licensing and quality considerations - that’s easier said than done. Many organizations start with flawed components that move through the development process making your production applications vulnerable. CLM addresses this by providing component intelligence directly within the IDE so developers can select the best component from the start.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Use comprehensive component intelligence to drive action

Sonatype analyzes the components and delivers security, licensing and quality component intelligence throughout the development lifecycle. This approach provides highly accurate information mapped precisely to the components in your application eliminating the effort required to weed through false positives.

As sponsors of the Central Repository, Sonatype analyzes open source components placed in Central. Sonatype validates the origination of the component and analyzes popularity, security and licensing data.  Sonatype provides security, licensing and quality information about the components. This component intelligence can be used to select the right components from the start and to make replacement decisions if you are using a flawed component. Sonatype supports custom meta-data, which allows Sonatype policies to be driven by data from other tools. It also allows the organizations that use Sonatype CLM to manage their custom components.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Start with the right components

The component intelligence is displayed directly within the IDE – the developer doesn’t have to leave the IDE or learn a new tool to make good component choices. This information is also integrated into the Repository Manager and Continuous Integration and Build environments.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Start with the right components

Popularity, license and security alert intelligence is provided for all versions of a component. The developer can use the visual summary to select a component version.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Start with the right components

The developer can view detailed policy, licensing and security information about each component and component version to help inform component selection

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Ensure component integrity throughout the lifecycle

Sonatype ensures integrity of components throughout the lifecycle.

Sonatype provides component intelligence for the components that are checked into Central. This security, licensing and quality intelligence is used to drive policy and governance throughout the software lifecycle Sonatype is uniquely positioned to secure the delivery channel between Central and your organization using SSL. This ensures that the component is not manipulated during delivery. Sonatype’s uses strongly signed hashes & checks the integrity of the component throughout the lifecycle. This allows you to detect intentional or inadvertent changes to the component.
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Quickly identify your exposure & remediate flaws

  • Quickly identify at-risk apps & prioritize work
  • Expedite decisions using replacement recommendations
  • Quickly fix problems through single click migration
  • Fix applications early in the dev lifecycle

Quickly identify your exposure & remediate flaws

You have apps in production or currently in development. And those components and applications are not static – new vulnerabilities are discovered, and new component versions are released every day. You need the ability to assess your exposure accurately and continuously. CLM provides the ability to assess and prioritize your exposure, select components to replace the flawed components and to replace the component all within the IDE.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Quickly identify at-risk apps & prioritize work

Sonatype precisely matches component versions to known security vulnerabilities and licenses and obligations. This information is made available throughout the lifecycle as a CLM report, or integrated directly in the repo mgr, IDE and build/CI tools. A visual threat indicator that is driven by the policies (which can be a combination of security, licensing and architecture policy) can be used to prioritize a response.

Quickly assess which components are at risk based on the policy definition. Quickly work through the prioritized list of problematic components by selecting and migrating to a new component.
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Expedite decisions using replacement recommendations

Using popularity, license and security alert intelligence select a replacement for the flawed components

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Expedite decisions using replacement recommendations

Refer to detailed component intelligence to inform your replacement selection.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Expedite decisions using replacement recommendations

It’s not just about discovery, once you have identified and prioritized the most important items, you need to determine what to do. Sonatype provides guidance to the developer so they can easily pick the best component to remediate a flaw.

Once you have selected the replacement component, simply push the migrate button to replace the component
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Quickly fix problems through single click migration

We all know that it costs more to fix flaws later in the development lifecycle. And even if you start by picking the right component from the beginning, flaws may occur since new security vulnerabilities, licensing issues may be discovered down the road. Or a new version of a component may be released that is more appropriate for your application. Once you select a replacement based on Sonatype’s component intelligence, you can replace the component by automatically refactoring the component in your IDE.

Side by side comparison provides the ability to easily view the changes. Push a button to automatically refactor your application to use the new component
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Fix applications early in the dev lifecycle

Sonatype provides proactive alerts so that you can identify and fix things early in the lifecycle.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Precisely identify your components, repository & application inventory

  • Use precise matching to provide an accurate inventory
  • Review the OSS components your developers have downloaded
  • Inventory the components in your critical apps
  • Assess the health of your repository

Precisely identify your inventory

The sheer number, complexity, and hidden dependencies that exist with components makes it difficult to get an accurate picture of your applications as well as the inventory process. Recent research indicates that 65% of organizations do not manage components effectively. And if you can't inventory what you have, how can you expect to manage it? The first step to managing your components is to determine what components you have.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Speak to Someone

Learn more from the experts at Sonatype.

Use precise matching to provide an accurate inventory

To provide precise binary matching without the false positives of source code scanning or the false negatives of simple binary matching, Sonatype has invented a new, patent-pending method called Advanced Binary Fingerprinting. With this method, Sonatype is able to precisely identify components even when they have been repackaged, rebuilt, or otherwise altered. This method allows proper assignment of security, quality and licensing data to a specific component and version. Advanced binary matching is both fast and precise. A large application can be analyzed and a precise bill of materials delivered in minutes.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Review the OSS components your developers have downloaded

You can develop a quick, preliminary risk assessment by looking at the OSS components that have downloaded into your organization. We'll help you understand which components your organization is using, and where you might find potential security, licensing, or quality risks.

Get an overview of your download activity and quickly assess the risk associated with components that have entered your organization.
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Review the OSS components your developers have downloaded

Quickly see the breakdown of security & licensing vulnerabilities and the potential threat that it poses to your organization.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Review the OSS components your developers have downloaded

Detailed inventory information with security, licensing, version is included in the report. This detailed view shows a list of components that have security issues.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Inventory the components in your critical apps

It’s important to understand what your developers have downloaded, but it’s even more critical to know what is being used to assemble applications. CLM provides you with an accurate application inventory report within seconds. You can quickly understand your application's composition, and uncover potential security, licensing, and quality problems. This information is also integrated directly in the development tools

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Inventory the components in your critical apps

View component inventory during the build and continuous integration stage

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Assess the health of your repository

Repository managers like Nexus have become essential infrastructure for component-based software development. Analyzing the components in your repository provides visibility into the components that your developers are using to build applications. Sonatype CLM provides the ability to determine the overall health of your repository with the Repository Health Check.

Quickly assess the health of the components in your repository by viewing a prioritized list of components ordered by the policy threat summary Quickly compare the version in your repository to other versions based on popularity and time of release
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Assess the health of your repository

View detailed intelligence about the components in your repository to assess your security, licensing and quality profiile

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Implement flexible policies that speed agile development with guidance for each lifecycle stage

  • Administrate policies at the enterprise level
  • Take action using agile-based policies

Implement flexible policies that speed agile development with guidance for each lifecycle stage

Sonatype makes it easy to manage your components with developer friendly policies that can be administered centrally and enforced with appropriate actions directly in the development lifecycle. This starts with creating and managing policies that span the security, licensing and architecture disciplines - policies that are managed by the appropriate constituents. The security team can manage the security aspect independent of the OSS compliance team responsible for managing OSS license concerns. And finally the architecture team can define policies that provide technical guidance to the developers.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Administrate policies at the enterprise level

The Sonatype CLM allows you to implement flexible policies that speed agile development with guidance tailored for each lifecycle stage. Different team members from security, licensing, architecture can create policies that drive action appropriate for each lifecycle stage.

Policies define the organizational risk tolerance for security, licensing and architecture Policies provide visibility into component misuse and allows for management of components through the SDLC. Actions can be defined to prevent components from reaching well defined stages within the SDLC.
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Administrate policies at the enterprise level

Policies can be created by the security, licensing and architecture teams. Let’s explore a Security-medium policy. The Security-Medium policy is designed to catch all components that have a medium (CVSS Score between 4 and 7) security risk.  The Common Vulnerability Scoring System (CVSS) is a quantitative scoring system commissioned by the National Infrastructure Advisory Council. The purpose behind this policy is to give developers as much time as possible to mitigate the risk before the final enforcement of not allowing the application to be released.

The developer will be warned upon procurement and inside the IDE. The build engineer will be warned if the build creates an application with the component The repository manager is warned when the build system promotes the build to staging.  Finally, if the issue still persists, the release will fail. At any time during this process, if the organizations deems the risk acceptable, a waiver can be applied and the component will no longer fail the policy.
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Administrate policies at the enterprise level

Policy constraints are configured using an easy to use interface.

This policy constraint specifies 4 conditions. One condition checks for the Waived-Security label to validate the acceptance of organizational risk. Two conditions are used to match the CVSS scoring. The final condition checks to see if a status of Not Applicable has been set.  It is possible that a specific risk within a component is not applicable to the way an application is using a component.
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Take action using agile-based policies

With a single policy, Sonatype allows you to take appropriate action at each level of the lifecycle. In this security example, we see how a security policy provides the flexibility a developer needs to try new components early in the lifecycle while providing appropriate notifications. If the component is not approved by the time the application goes into production, the promotion step is blocked.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Proactively monitor & analyze production applications to meet regulatory compliance goals

  • Detect emerging threats
  • Analyze & report enterprise risk

Proactively Monitor & analyze production applications to meet regulatory compliance goals

Once your applications make it to production, they aren’t static – neither are the components that are used to construct those applications. You need to continuously monitor and have the ability to remediate applications if new flaws are found. Sonatype provides ongoing, continuous monitoring of your production applications and will proactively alert you to new vulnerabilities that have been discovered.

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Detect emerging threats

Proactive monitoring is critical to identify anomalies early in the production process as well as newly discovered vulnerabilities. As components age, there is a greater likelihood that exposures will be discovered by hackers. Sonatype identifies those new vulnerabilities and proactively notifies you in the context of your applications.

Assess production risk by looking at violations, applications or policies Quickly profile status of production applications Proactive alerts for newly discovered vulnerabilities
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Analyze & report enterprise risk

Real-time visibility through executive dashboards provides continuous enterprise wide risk profiles while policy level reporting ensures compliance.

Assess compliance by looking at violations, applications or policies View component vulnerabilities by policy priority Trend information provides context for decisions Proactive notification of events in real-time
Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.

Getting started is simple no matter where you are
in your application security efforts:

Take Action

Free risk assessment determines your security, licensing & quality concerns.

Build Your Strategy

Get advice from Gartner or The451 on component management.

Speak to Someone

Learn more from the experts at Sonatype.