Starting the first week of December, users of Nexus Lifecycle and Nexus Firewall who evaluate CRAN, Cargo, or Conda may experience a change in results.
The change is due to Sonatype’s work on its data catalog. Sonatype is unifying its data catalog by bringing all data and research streams into one database. Currently, for security data, there are two main research pipelines that, while similar, have distinct purposes. This initiative brings those two teams together to streamline Sonatype’s data output to customers.
Why is Sonatype doing this?
Sonatype, like other SCA vendors, pulls data from a variety of sources, including:
- National Vulnerability Database
- Various public vulnerability feeds
- Proprietary vulnerability feeds (ex: identifying vulnerabilities in open source code stored in code management platforms such as GitHub)
Unfortunately, not all security data is created equal and some of the data from the above sources - specifically the NVD and public feeds - is incomplete. Many times the “incomplete” data is missing vulnerabilities, and automation is not sufficient to identify this missing information. As a result, this data must be highly curated by Sonatype’s research teams to fill in the gaps and improve accuracy.
Because we have two teams with different purposes curating this data, there are sometimes inconsistencies in our output, which the Data Unification is solving.
As we roll out this initiative, you will experience the following for ecosystems affected by this change:
- Higher quality identity data
- More complete CVE data
- Fewer false positives and false negatives
You may also notice some existing waivers are no longer waived, and reports from old scans will be viewable except for the vulnerability tab. To solve, users will need to perform a rescan - a reevaluation of the report will not solve the problem and create new waivers.
During the rollout, users may see errors for “format unknown”. The error will go away after the rollout is over. It is caused because there is a window the data is available before the system recognizes the format.
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype Community, you’ll be prompted to create an account that will also allow you to engage with other posts and members of the Sonatype Community.
Notifications can be configured to ensure you are aware of updates to this thread or other important announcements in the Community.