Sonatype Launches New and Enhanced Open Source Software Index, Delivering Free Open Source Vulnerability Data to Millions of Developers


The newly improved Index is designed to easily integrate with developer tools like Maven Enforcer Plugin and OWASP Dependency Check

Fulton, MD – July 25, 2018 -- Sonatype, the leader in automated open source governance, today announced a revamped and modernized OSS Index to provide developers with free and easily accessible information on known open source vulnerabilities.  The Index provides multi-language support, easy implementation through a REST API and native integrations with Maven Enforcer Plugin and OWASP Dependency Check.

“Sonatype’s roots are in open source. Not only are we the providers and caretakers of The Central Repository, but we believe in doing right by the community, making a difference where we can, and leaving things better than we found them,” said Brian Fox, CTO and Co-Founder of Sonatype. “With the new OSS Index, we’re enabling millions of developers to add a basic layer of security to their innovation efforts which is a good starting point for everyone in the open source community.”

Since Sonatype acquired OSS Index and its parent company Vor Security last year, the organization has been working to revamp the data feed, making it easier for developers to understand the value of basic open source governance.

Today, OSS Index is a simple and free way for developers to determine if there are any known, publicly disclosed, vulnerabilities associated with open source components.  While the Index is derived entirely from public sources, and does not include human curated intelligence or remediation guidance, it does house more than 2.6 million packages and information on 140,000 known vulnerabilities.  Benefits include:

  • Easy implementation through a REST API - or one of many open source tools
  • Native integrations with the Maven Enforcer plugin and OWASP Dependency Check; additional ecosystems will be added overtime
  • 7 supported languages (with more to come soon) - Bower (JavaScript), PHP, Maven/Gradle (Java), npm (JavaScript), NuGet, Python, RubyGems, and RPM
  • Ability to integrate across your development toolchain with pre-built tools and applications

Software development teams with enterprise requirements for fully automated open source governance powered by precise, curated, and actionable intelligence should investigate Sonatype's Nexus Product Suite.

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, and Goldman Sachs. Learn more at