Sonatype Expands its Fully Automated Open Source Security and Governance Solution to Support C/C++, PHP and Ruby


Nexus Lifecycle now allows users to scan applications for open source software vulnerabilities, automatically enforce open source governance policies, and easily remediate open source risk for 27 different languages and package formats.

Fulton, MD – March 12, 2020 -- Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today announced it’s further expanded its language coverage within Nexus Lifecycle to include Conan (C/C++), Composer (PHP), and RubyGems (Ruby), including the ability to create and contextually enforce policies. By continuing to increase support for the most popular component formats, Nexus Lifecycle is helping millions of developers and security professionals to automatically govern open source hygiene across every phase of the software development lifecycle (SDLC).

With the addition of C/C++, PHP, and Ruby, Nexus Lifecycle now supports 27 programming languages and package formats, further meeting the diverse needs of enterprise development teams.

According to Sonatype’s 2019 State of the Software Supply Chain Report, 1 in 10 open source components downloaded by development teams had known security vulnerabilities. This doesn’t represent the number of components that will be discovered as vulnerable over time, nor potential open source licensing risk, about which organizations should also be concerned. The ability to automate open source governance, enforce policies, and remediate vulnerabilities is vital to application security in today’s world. In fact, the same report showed that managed software supply chains reduced the percentage of vulnerable components used in finished applications by 55%. 

“Organizations keep software applications safe, not by chance, but by preparation, and in many cases supported by automation. But, automation without accuracy can be detrimental, giving a false sense of security,” said Brian Fox, CTO of Sonatype. “Developers need broad and accurate component intelligence they can trust for proper security hygiene. By extending our coverage to even more languages, we’re providing our customers with more reliability and confidence, while increasing productivity.” 

In his recent November 2019 report, Technology Insight for Software Composition Analysis, Gartner Analyst Dale Gardner wrote, “Of those using OSS libraries within their IT portfolio, or planning to by year-end 2020, only 28% of respondents indicated they use automated tools to manage OSS components. Another 16% suggested they plan to have such a tool by year-end 2020.” He continued, “The consequences of such limited oversight are depressingly clear. The use of open source components containing known vulnerabilities provides an avenue for attackers to gain entrance to and control of systems and applications. As demonstrated by several widely publicized cases, these incidents can be costly and disruptive to the organization.” 

Organizations using Nexus Lifecycle and C/C++, PHP, and Ruby will now be able to:

  • Create custom security, license, and architectural policies and contextually enforce those policies across every stage of the SDLC
  • Select safer components throughout the software supply chain, and reduce risk 
  • Automatically enforce policies and view expert remediation guidance in the tools developers use every day

Sonatype remains committed to creating the most universally applicable, polyglot software supply chain automation tools. This is just one of many releases dedicated to expanding the languages with native support across the Nexus Platform. 

Additional Resources: 

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers.  Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.