<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1127487224079104&amp;ev=PageView&amp;noscript=1 https://www.facebook.com/tr?id=1127487224079104&amp;ev=PageView&amp;noscript=1 ">

What We Learned from Studying 36,000 OSS Projects | Press Release

Nexus Intelligence

The whole truth about open source risk.

Try It Now  
WATCH THE VIDEO

Expert Research Powers the Nexus Platform
Icon1@2x

More Coverage.

70% more vulnerabilities than alternative databases.

Icon2@2x

Faster Results.

10x Faster than National Vulnerability Database.

Icon3@2x

More Expertise.

65 world class professionals with 500+ years of experience.

The difference is simple.

Better Identification

Scan apps “as deployed” — not “as declared.” Identify true risk by verifying ALL embedded dependencies.

Examine fingerprints — not file names and package manifests. Precisely identify risk with Advanced Binary Fingerprints (ABF).

Report real risk — not false alarms.
Spend more time fixing actual bugs and less time chasing false positives.
BluePurpleBrain

Better Knowledge

Above and beyond public data.
Get details on complete universe of open source vulnerabilities.

Super fast and always on.
Learn about new open source vulnerabilities faster than anyone else.

Designed for developers. Give developers exactly what they want — actionable guidance to remediate open source risk.

EdwinK

“It has given us visibility into security issues and made us more proactive in dealing with things. It scans and gives you a low false-positive count.” 

— EDWIN K., IT CENTRAL STATION REVIEW

Avoid fake news, analyze deployed dependencies.

Alternative tools are prone to false positives and negatives because they scan apps “as declared” and trust developers to disclose the truth about dependencies embedded in software.

Nexus scans apps “as deployed” utilizing Advanced Binary Fingerprinting (ABF). The result is a precise read on embedded dependencies and a Software Bill of Materials (SBOM) that reflects the truth about third-party risk. ABF identification utilizes cryptographic hash for binaries, structural similarity, derived coordinate, and file name.  It can even identify renamed or modified components whether they were declared or not, misnamed, or added to the code base manually.



Intelligence_DigDeeper_alt@2x
Intelligence_Nexus_new@2x

Go above and beyond public data sources.

Public databases like NVD provide a relatively small and typically outdated view of open source security vulnerabilities.

Nexus Intelligence however, delivers a universal and timely understanding of open source security risk.  It has ingested and analyzed more than 31 million components and it never stops learning, using natural language processing to dynamically monitor every GitHub commit to every open source project, advisory websites, Google search alerts, OSS Index, and a plethora of vulnerability sites.  Additionally, new vulnerabilities are regularly discovered by our own researchers and added to our proprietary knowledge-base.

Nexus Intelligence also see things that others simply can't, continuously gaining insight from more than 4 million instances of Nexus Repository Manager, and from 146 billion components requested annually from The Central Repository.

Remediate faster with expert guidance designed for developers.

Whenever new vulnerabilities are disclosed or discovered our team immediately validates the exploit path, identifies the root cause, and creates actionable information to help organizations (and development teams) evaluate, triage, and remediate threats faster than adversaries can attack. Guidance is carefully curated and written for easy consumption by frontline software developers. Instead of cryptic security alerts that are difficult to decipher, Nexus Intelligence provides developers step-by-step instructions on how to detect and remediate the vulnerability, including upgrade path and the root cause, relative risk of other component versions, and workarounds to avoid refactoring code.

Intellegence_ScreenShot@2x
Nexus Intelligence Insights

Learn more with “Secondary Expansion.”

Nexus Intelligence is the only security research service that actively practices “secondary expansion,” an extra level of investigation to determine if newly discovered vulnerabilities are also present and exploitable in other components. It’s important to go the extra mile because it's common for open source projects to borrow code from other projects. Simply stated, if a single vulnerability exists in multiple libraries, we automatically let you know. Over the past 5 years, we've associated vulnerabilities to 3 million more components than public databases.

 

Intellegence_Threat@2x-2

Understand threats faster.

Whenever new open source vulnerabilities are disclosed, criminals immediately begin looking for opportunities to exploit them in the wild. As a result, it’s literally a race between “bad guys” and “good guys” to see who acts first. Companies lose when bad actors are able to exploit open source vulnerabilities faster than they can remediate them.

When it comes to managing the constantly evolving security threats within open source, speed is absolutely critical. That’s why Nexus Intelligence works 24x7x365 to stay abreast of the changing threat landscape and publishes detailed information on new vulnerabilities 10X faster than NVD.

Trust in community credibility.

From our humble beginning as core contributors to Apache Maven, to supporting and maintaining the Central Repository, OSSIndex, and the Central Security Project, we’ve long played a meaningful role in helping the global community of software developers embrace the power of open innovation.  We're passionate about the community and we're dedicated to providing premium security research to help owners and consumers of open source projects minimize risk and maximize value.


Intellegence_Community@2x

 

Learn More

Learn More 1@2x
Don't take our word for it, see for yourself how our data stacks up against the competition.
Read Case Study
Learn More 2@2x
Discover why accurate data is critical to securing open source code.

READ MORE
Learn More 3@2x
Take a test drive of our data and see for yourself if there  are vulnerabilities lurking in your application.
Scan and see

Ready to Try Nexus Products?

Get Nexus
Twitter LinkedIn Facebook Instagram YouTube GitHub
Products
Security Research
Solutions
Resources
About
SON_logo_white@2x copy trimmed

Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102
Australia Office - 5 Martin Place, Sydney, NSW 2000, Australia 
London Office - 199 Bishopsgate, London EC2M 3TY

Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the third-party code listed here. Sonatype and Sonatype Nexus are trademarks of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other trademarks are the property of their respective owners.

Terms of Service    Privacy Policy