Skip to main content

Repository Security Vulnerabilities

Sonatype considers security extremely important and uses multiple processes and tooling to ensure that our products are secure.

Our Security Practices

To ensure the security of our products, we use a comprehensive application security practice that includes transitive dependency analysis at multiple points in the SLDC, static analysis of application code, as well as automated and human review processes for all changes.

Dependency Vulnerabilities

As with most modern software applications, Nexus Repository incorporates a number of open source components as dependencies. Nexus Lifecycle’s continuous monitoring capabilities regularly detect vulnerabilities in these components.

These may or may not be exploitable, depending upon both the nature of the vulnerability and how the components are used within Nexus Repository. However, we consider all dependency vulnerabilities to bepotentially exploitablebecause of attack techniques such as vulnerability chaining. Therefore, our development teams upgrade the component to a non-vulnerable version as soon as one is available. We make these upgrades available to our customers and users in later releases of Nexus Repository.

To benefit from this ongoing risk mitigation, we recommend our customers and users regularly update their Nexus Repository instances to the most recent version.

Inquiring About a Dependency Vulnerability's Status

If you have concerns about a dependency vulnerability with unknown exploitability, we can confirm whether we are aware of it and that it is queued for remediation as part of our normal development process.

For the protection of our customers and users, we do not disclose the exploitability of suspected vulnerabilities before they are remediated and an upgraded version of Nexus Repository is released.

You can subscribe to announcements of new releases and exploitable security vulnerabilities by signing up for the Nexus Repository Pro announcements Google group.

Reporting a Security Vulnerability

Sonatype responds to exploitable security vulnerabilities with the utmost urgency and follows a responsible disclosure and notification process to protect our users and customers.

If you would like to report a new vulnerability that you have discovered or reproduced, please follow the steps for reporting a security issue to as detailed on our Contact Us page.