Our data research team is always looking for ways to expand Sonatype Lifecycle's coverage with new sources and feeds of data. A little under a year ago, we stumbled across OSS Index.net. Initially, we were intrigued by the coverage of ecosystems we had not yet fully researched. However, as we opened a dialog and engaged in a formal relationship with Ken Duck, founder and CEO of Vor Security, the company behind OSS Index, it became apparent that this was not just another run of the mill data aggregation feed.
What most people don't realize is that so much of the reported data in places like NVD often lacks sufficient details to be truly precise and actionable. Sometimes it's even incorrect.
Security research is a specialized skill that requires a deep understanding of attack methods combined with software engineering expertise. Recognizing mistakes in reported information requires this unique skill set and can't be fully automated. At the end of the day, a human is required to interpret the results and ultimately determine where the vulnerability occurs. If your vendor isn't doing this for you, it is your team to deal with sifting through all the noise.
Like Sonatype, Vor understands the subtle deficiencies in the feeds commonly used by other tools, and undertook an effort to produce an efficient way to correct the data and make it useful to downstream consumers. Their approach to this solution involved processes and insights that were closely aligned with our own, which ultimately led to a human curation element as the final arbiter. Vor approached the vulnerability correction and assignment from the project to the components, which is exactly opposite of the Sonatype approach of finding the vulnerable code and tracking it back to the released component. By merging the top down and bottom up approaches, we can significantly increase our vulnerability coverage.
Sonatype's roots are in open source, starting with the early days of Apache Maven. In addition to being the providers and caretakers of The Central Repository for over 10 years, the creation of M2Eclipse and many others, we have long made our tooling, such as Nexus Repository available to open source projects and forges for free. This desire to do the right thing by the community, to make a difference, and leave things better than we found them is another common bond we share with Vor Security.
Bringing Vor into the Sonatype fold will immediately allow us to increase ecosystem coverage, and OSS Index provides a platform to accelerate innovation in open source security research. We are pleased to welcome Vor Security to Sonatype.