Sonatype launches solution to remediate malicious and outdated InnerSource components

Sonatype announced a capability focused on identifying and remediating InnerSource components that contain vulnerable, malicious, or outdated open source dependencies.

With InnerSource Insight, developers can easily manage their InnerSource components, see what open source packages they’re dependent on, remediate concerns immediately, and identify safe upgrade paths that won’t break builds.

InnerSource is a rapidly growing term used to describe proprietary software parts developed internally following practices and processes typically used in open source development. This means everyone in an organization has access to development artifacts, code and documentation. Teams are encouraged to use and contribute to these components as part of the application development lifecycle to save time, prevent rework, and build better software.

“Over the past 15 years that we’ve been helping engineering teams understand, manage, and protect their software supply chains, organizations have come to understand the inherent risks of using open source software and the need to monitor it,” said Brian Fox, co-founder and CTO of Sonatype. “What’s less known is that increasingly, dangerous open source components slip into applications through these shared internal components called InnerSource. We’re helping organizations remove that risk by making it possible for developers to manage InnerSource components the same way they manage open source.”

InnerSource components are utilizing, in some occasions, up to hundreds of other open source and InnerSource components that often have company policy violations that are difficult to trace and to remediate. Sonatype’s InnerSource Insight, previously available in beta, but now open to all customers of Sonatype’s Nexus Lifecycle, helps developers and security teams:

• Decrease manual rework, by easily identifying InnerSource components and taking action to remediate concerns or company policy violations within their dependencies
• Save time by quickly seeing all the different versions of an InnerSource component in an easy-to-read graphic, to then determine the most up to date version you should be using
• Effortlessly integrate with CycloneDX, making it possible to track, update and remediate InnerSource components in 120+ tools and languages