Managing dependencies is one of the best ways to assess the risk disposition of your organization’s applications and components. Contextual awareness around how dependencies are linked and how dependencies enter into your SDLC will improve research around these risks and potentially change development behavior over time. As such, Sonatype is happy to announce improved dependency management capabilities for Java in Nexus Lifecycle.
What’s Changing in Nexus Lifecycle
Release 88 introduced a new section in your transitive dependency’s component information panel (CIP) titled ‘Recommended Remediation.’ It shows which direct dependencies brought in that transitive and links back to the direct dependency (example below).
For direct dependencies, you will still see ‘Recommended Version’ providing the next version with no policy violation (this is the current default policy).
The new section and updated links are designed to help you attack remediation from the top down. By focusing on parent components first, you can tackle multiple remediations at once, ultimately aiding in prioritization and decreasing unnecessary research efforts. You may also experience:
Less Research, More Remediation - we’ve streamlined/reduced the research process by providing specific remediation actions for that dependency.
More Efficient Remediation - Remediation guidance will point users to deal with direct dependencies first, which could resolve more than one dependency at once.
Increased awareness - showing each direct dependency associated with a transitive dependency will help paint a picture of how all your dependencies are linked, so you know exactly how remediation will affect other applications.
Dependencies in Action
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will allow you to create and reply to other threads initiated by both the Sonatype team and your community peers.