Sonatype’s Nexus Firewall Advances DevSecOps With RubyGems and RPM Support


World’s only OSS Firewall delivers automated open source governance for six component formats

Fulton, MD – March 23, 2018   Sonatype, the leader in open source governance and DevSecOps automation, today announced that Nexus Firewall now supports RubyGems and RPM components.  By continuing to expand support for the most popular component formats, Nexus Firewall can help millions of developers automatically block vulnerable open source components from entering their DevOps pipeline.

According to Sonatype’s 2017 State of the Software Supply Chain Report, 1 in 18 open source components downloaded by development teams had known security vulnerabilities. Nexus Firewall integrates automated security into the earliest stage of a DevSecOps pipeline to ensure that organizations build applications that are secure by design.  

“Organizations keep software applications safe, not by chance, but by preparation,” said Brian Fox, CTO of Sonatype. “Sonatype researchers have identified more than 34,000 vulnerable RubyGem and RPM components.  The sheer volume of vulnerabilities makes manual governance impossible. Nexus Firewall is the only solution in the world that automatically stops vulnerable open source components at the front door.”

“Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components (and in cases of serious vulnerabilities, block the download)?”, wrote Gartner analysts Neil MacDonald and Ian Head in their 3 October 2017 report, 10 Things to Get Right for Successful DevSecOps. “To address this issue, some providers offer an ‘OSS firewall’ (Sonatype Nexus Firewall) to expose the security posture of libraries to developers to make educated decisions about which versions to use. Using this approach, the developer can explicitly block downloads of components and libraries with known severe vulnerabilities (for example, based on the severity of the CVE assigned).”

Organizations using Nexus Firewall, will now be able to set policies to automatically stop defective open source components from reaching developers using Nexus Repository OSS or Pro versions. Policies include:

  • Defining and enforcing quality thresholds for RubyGems, RPM, PyPI, NuGet, npm and Java components
  • Analyzing and selectively admitting secure components
  • Keeping production apps safe from risky components


About Sonatype

Sonatype is the world’s leading provider of vast data intelligence and DevOps-native developer tools to help organizations harness all the goodness in open source software, without any of the risk.  As the creators of Apache Maven, the Central Repository, and Nexus Repository, Sonatype helped to pioneer open source software development.  Today, more than 10 million developers around the world depend on Sonatype’s Nexus platform to automatically govern the volume, variety, and security of open source components being used to build modern software applications. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, and Goldman Sachs.