Skip Navigation

Sonatype Acquires Vor Security; Introduces Nexus Lifecycle XC


Nexus Open Source Intelligence is extending coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++ in addition to Java, JavaScript, NuGet, and PyPI

Fulton, MD - June 29, 2017 - Sonatype, a leader in software supply chain automation, today announced that it has acquired Vor Security. Ken Duck, founder and CEO of Vor will join the product and engineering team at Sonatype to continuously expand and refine the open source component intelligence service that underpins the Nexus platform.

As founder and CEO of Vor, Duck created the OSS Index, an innovative and free online index of known open source software vulnerabilities. Today, the index contains more than 2.1 million packages and detailed information on more than 120,000 vulnerabilities across an array of open source ecosystems.

Sonatype also introduced today Nexus Lifecycle XC, a new data service delivered via the Nexus IQ server that will provide organizations with component intelligence covering a wide swath of open source ecosystems and formats including Ruby, PHP, Swift, CocoaPods, Golang, C, and C++.

Landscape of Open Source Intelligence

Compared to the precisely accurate open source intelligence offered by Nexus Lifecycle for Java, JavaScript, NuGet, and PyPI -- traditional vendors of Software Composition Analysis (SCA) tools have long provided commodity open source intelligence across a broad spectrum of ecosystems.

Over time, organizations have come to value the unique accuracy of Nexus Lifecycle data for Java, JavaScript, NuGet, and PyPI; but they still require open source intelligence for a wide variety of other ecosystems.  Beginning today, Sonatype is delivering a win-win intelligence engine that combines the depth of Lifecycle data for machine automated open source controls with the breadth of Lifecycle XC data for foundational open source governance.

Supporting Quotes

“Empowering software development teams with broad and precise visibility into the open source supply chain is critical to practicing proper application security hygiene. Sonatype’s world-class team has led the way in bringing remarkably accurate component intelligence to the forefront of the DevOps movement, and I am excited to join forces with their amazing team and continue the journey.” -- Ken Duck, CEO, Vor Security

“Since its introduction in 2012, Nexus Lifecycle has seen tremendous acceptance in the market because it provides remarkably precise and accurate intelligence with respect to open source components across Java, JavaScript, NuGet, and PyPI. While enterprise customers, especially those practicing DevOps, place a premium value on the accuracy and precision of our Nexus Lifecycle data, they also need intelligence for a wide variety of other formats and ecosystems. The combination of Lifecycle and Lifecycle XC gives customers the best of both worlds -- a premium intelligence service that fully automates enforcement of open source policies inside of a DevOps pipeline, plus a stock data intelligence service to inform basic hygiene for all other ecosystems.” -- Wayne Jackson, CEO, Sonatype

“Establishing, managing and maintaining trust in a digital world requires an integrated approach to embed and quantify trust throughout the entire SDLC. Application leaders should rethink their SDLC to be more like a trusted supply chain, taking into account the multiple dependencies and actors.” -- Mark Driver, Felix Gaehtgens, Mark O’Neill, Gartner, “Managing Digital Trust in the Software Development Life Cycle”, May 2017 report

Additional Resources

About Sonatype

Sonatype is the leading provider of DevOps-native tools to automate modern software supply chains. As the creators of Apache Maven, the Central Repository, and Nexus Repository, Sonatype pioneered componentized software development and has a rich history of supporting open source innovation. Today, more than 120,000 organizations depend on Sonatype’s Nexus platform to govern the volume, variety, and quality of open source components flowing into modern software applications. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, Morgenthaler Ventures, Bay Partners and Goldman Sachs. Learn more at

SpeakerBox Communications for Sonatype
Jennifer Edgerly