Sonatype Nexus: build smarter, fix faster, be secure

The Nexus platform: build smarter, fix faster, be secure.

This article provides an overview of the Sonatype Nexus Platform. The most commonly known component in that platform probably is Repository, but there is more!

Go directly to:

• Overview of the platform
• Reasons for using the platform
• Overview of the components of the platform
• Costs
• Certification and support
• Market

1 Platform overview

Product name: Nexus platform
Vendor name: Sonatype
Sonatype offers eight products in a platform called Nexus: Lifecycle, Lifecycle Foundation, Firewall, Repository, Container, Auditor, Vulnerability Scanner and Lift.  Most readers will be familiar with Repository, but this article will also focus on the other products. Nexus Lifecycle, Auditor and Firewall use the Nexus IQ server, a specific component that works as a policy engine.

2 Reasons for using the platform

As the tag line of the Sonatype website states: build smarter, fix faster, be secure. These three statements sum up the main features of the Nexus platform pretty well. You use the platform (or any of its tools separately, as that is also a possibility) to support the build and release process of your software development lifecycle securely, in real-time. And additionally, you get an overview of each open source component in your build environment, which makes sure you are in control and properly licensed.

The (automated) gathering of information on components in your pipeline is commonly known as Software Composition Analysis (SCA). A hardened, secure software development and delivery pipeline is only a possibility when all components in the pipeline are known!

In 2020, Gartner found that 90% of organizations use open-source software in their development environment in one way or the other, but the installed base of SCA is not that large as of yet.

3 Overview of the components of the platform

In the paragraphs below, the components of the platform are described in more detail.

Lifecycle

Nexus Lifecycle is a suite of tools that automates a number of checks in the software development pipeline. It combines Lifecycle Foundation, Firewall, Container and Repository.

Lifecycle Foundation

Nexus Lifecycle Foundation is the foundation component for the suite of tools combined in Nexus Lifecycle. It provides an overview of the open-source components used in the software delivery pipeline. The difference between Lifecycle Foundation and Auditor is that the latter tool focuses primarily on legacy, monolithic monitoring (production) applications. A more detailed comparison between the two can be found in a blog on the Sonatype site.

Firewall

Nexus Firewall serves as a firewall between components used in software development (obtained from external repositories) and the repositories they are stored in (local to you). This helps you in preventing that vulnerable components enter your environment and provides you with an overview of these components. Programming languages that use components and packages in this way (such as Java, .NET and Go) are all supported.

Repository

Nexus Repository (often abbreviated to NXRM), which consists of an open-source and commercial variant, is a tool for managing all components, binaries and artefacts in the software development lifecycle in a single place. It serves as a caching repository for public components that are used locally and as the single source of truth for staging and managing releases, promoting them from one environment to the other. A wide variety of formats is supported, such as npm, apt and helm charts – but the list is much longer. Nexus repository integrates really well in a Java environment and has support for a wide variety of tools, including well-known pipeline orchestration tools such as CircleCI and Jenkins. Again, the list is long and Sonatype has a specific webpage dedicated to everything it supports or integrates with.

Version history

Nexus Repository is available in two different forms: a 2.x branch, and a 3.x branch. The 3.x version is a complete rewrite (with a different architecture). Not all 2.x features returned in 3.x, which means updates can be challenging. A description of the differences is detailed on a specific webpage.

Container

Nexus Container is an end-to-end container security tool. It combines real-time security over the entire lifecycle of a container, starting with development in the pipeline and ending with run-time monitoring. Nexus Container integrates with a large number of container orchestration platforms, both in the public and private cloud.

Auditor

Nexus Auditor is a tool that helps you implement software composition analysis. It is used to create a list of open source components used in production software. This will help organizations in identifying if they violate license agreements – each component is presented with its attached license. Next to this, it is possible to examine and act upon known security issues for each component. Finally, these issues are monitored continuously during the production lifecycle of the component.

Vulnerability Scanner

Nexus Vulnerability Scanner is a free tool that can be used to scan a repository for known and existing security vulnerabilities.

OSSIndex

Not really a tool, Nexus OSSIndex is an online repository that allows developers to search for components that have known vulnerabilities or scan projects (and their dependencies) for these vulnerabilities. It serves as a teaser for the vulnerability scanner.

Lift

The latest addition to the Nexus platform is Lift, a code quality tool launched on the 15^th of June during the Sonatype Elevate conference. It works by scanning pull requests in real time and adding reports on security, vulnerability, reliability and style issues at specific places in the code itself. This way, developers are far more likely to see the issue and fix it.

Reference architecture

A nice way of presenting the various components in the Nexus platform can be found in a DevSecOps reference architecture. It is quite a detailed overview of the various tools (not just Sonatype’s) that make up a CI/CD pipeline.

When examining the architecture of Nexus Repository itself, it is evident that the platform uses a number of internal, open-source components. OrientDB is used as an internal database, where metadata and the configuration of the system are stored, with Ehcache as caching engine. Apache Karaf is used for deploying and managing the Java codebase of the platform. The internal web server is Eclipse Jetty. Finally, Elasticsearch is for indexing and searching through the repository. These components are internal dependencies and do not need to be managed separately.

Requirements

Nexus Repository is a Java-based tool, which means it can be installed on any host operating system that is able to run the supported version of Java (version 8 of the JRE). It is deployed on Java application platforms such as Tomcat. As the tool is most commonly installed on Linux, this is the reference platform. It is also possible to deploy in a container.

Memory and CPU

Memory configurations vary based on the size of the implementation. The Sonatype support website provides an overview of several example configurations. As far as disk space is concerned, Sonatype warns that repositories tend to grow large very quickly.

File systems

Sonatype supports a wide variety of file systems. These include Linux-based, local filesystems but also a number of Cloud-based filesystems such as Azure Blob storage and Amazon EBS. From the list of options, however, it is obvious that there are clear preferences: the local Linux filesystems work best. Modern local filesystem variants (such as GlusterFS) are either unsupported or not available (such as Ceph). The main problems of these systems are unreliability and slow performance.

High availability

It is possible to make Nexus Repository high available, but with some limitations. Currently, high availability only works in a single data center. Setting up high availability involves selecting a load balancer (well-known software-based versions such as NGiNX and Apache work). The recommended number of nodes is 3. 

Integration

It is possible to integrate Sonatype Nexus with other applications or systems. The API documentation describes the available endpoints. An example of integration usage is automating the usage of the repository (such as creating users or repositories), or monitoring its status.

4 Costs

Repository Pro starts at $3.000 per year, for 25 users. There are no additional costs for running Repository Pro.

5 Certification and support

Sonatype offers a number of free courses and extensive online support at their Learn website. The courses vary from a high-level overview on OSS licensing to a quite detailed course on how a developer can use Nexus in his or her build environment. Next to this, three learning paths are defined: increase developer productivity, reduce OSS risks and shift left: secure coding practices. Each path starts with providing the basic knowledge and then delves deeper into the subject matter, based on online courses and articles. At the end of a path, it is possible to receive a certificate of completion.

It is possible to become a certified partner, but not a certified specialist.

6 Market

Sonatype has its roots in the open-source community, particularly in the Java domain. It runs Maven Central, which contains nearly 7 million Java artifacts and is used by millions of users. Exact numbers on the installed base of the platform, however, are difficult to find. It is worth mentioning that Sonatype is in fierce competition with JFrog, which distributes Artifactory. Which product you prefer is a matter of preference.