Skip to main content

Sonatype Security Vulnerabilities

Sonatype knows that software security is critical in today’s interconnected world. We use robust tools and processes to make sure our products are as safe as possible so that our customers can deploy with confidence.

Our Security Practices

To ensure the security of our products, we use a comprehensive application security practice that includes transitive dependency analysis at multiple points in the SLDC, static analysis of application code, as well as automated and human review processes for all changes.

Dependency Vulnerabilities

As with most modern software applications, Nexus Repository incorporates a number of open-source components as dependencies. Nexus Lifecycle’s continuous monitoring capabilities regularly detect vulnerabilities in these components.

These may or may not be exploitable, depending upon both the nature of the vulnerability and how the components are used within our solutions. However, we consider all dependency vulnerabilities to be potentially exploitable because of attack techniques such as vulnerability chaining. Therefore, our development teams upgrade the component to a non-vulnerable version as soon as one is available. We make these upgrades available to our customers and users in later solution releases.

To benefit from this ongoing risk mitigation, we recommend our customers and users regularly update their Sonatype solutions to the most recent versions.

Inquiring About a Dependency Vulnerability's Status

If you have concerns about a dependency vulnerability with unknown exploitability, we can confirm whether we are aware of it and that it is queued for remediation as part of our normal development process.

For the protection of our customers and users, we do not disclose the exploitability of suspected vulnerabilities before they are remediated and we have released upgraded versions of our solutions.

Reporting a Security Vulnerability

Sonatype responds to exploitable security vulnerabilities with the utmost urgency and follows a responsible disclosure and notification process to protect our users and customers.

If you would like to report a new vulnerability that you have discovered or reproduced, please follow the steps for reporting a security issue to security@sonatype.com as detailed on our Contact Us page.