Coming the End of February - Composer(PHP) Data Unification

Starting the last week of February, users of Nexus Lifecycle and Nexus Firewall who evaluate PHP may experience a change in results.

As we roll out this initiative, you will experience the following for PHP:

  1. Higher quality identity data
  2. More complete CVE data
  3. Fewer false positives and false negatives

PHP is also gaining

  1. Advanced Binary Fingerprinting (ABF)
  2. Effective License

The change is due to Sonatype’s work on its data catalog. Sonatype is unifying its data catalog by bringing all data and research streams into one database. Currently, for security data, there are two main research pipelines that, while similar, have distinct purposes. This initiative brings those two teams together to streamline Sonatype’s data output to customers.

Why is Sonatype doing this?

Sonatype, like other SCA vendors, pulls data from a variety of sources, including:

  • National Vulnerability Database
  • Various public vulnerability feeds
  • Proprietary vulnerability feeds (ex: identifying vulnerabilities in open source code stored in code management platforms such as GitHub)

Unfortunately, not all security data is created equal and some of the data from the above sources - specifically the NVD and public feeds - is incomplete. Many times the “incomplete” data is missing vulnerabilities, and automation is not sufficient to identify this missing information. As a result, this data must be highly curated by Sonatype’s research teams to fill in the gaps and improve accuracy.

Because we have two teams with different purposes curating this data, there are sometimes inconsistencies in our output, which the Data Unification is solving.

You may also notice some existing waivers are no longer waived, and reports from old scans will be viewable except for the vulnerability tab. To solve this, users will need to perform a rescan of the report and create new waivers.

Where can I ask additional questions?

You can reply directly to this post. If you are not already registered to the Sonatype Community, you’ll be prompted to create an account that will also allow you to engage with other posts and members of the Sonatype Community.

Notifications can be configured to ensure you are aware of updates to this thread or other important announcements in the Community.

1 Like