A typical Java application can have hundreds of external dependencies that include proprietary libraries and others from many different sources. Tools such as Maven, make adding and managing these dependencies easy, but by themselves they aren’t very picky about what gets included in a project build. Developers and testers who are focused on rapid delivery of quality software may not have enough time to vet the libraries they are including in their products. Since those libraries can bring in dependencies of their own, it can be difficult to know the exact contents of an application. The results can be messy software products that include libraries with different licensing models, multiple versions of the same library, and libraries with known security and functionality issues.
Sonatype, the developers behind the Nexus Repository manager, have created a tool for implementing policy-based dependency management. Nexus IQ is the server component in three of their offerings: Nexus Auditor, Nexus Lifecycle and Nexus Firewall. Nexus IQ scans project dependencies and Maven repositories, checking for criteria such as license type, reported security issues, age, and popularity. When integrated into a Nexus-managed repository, IQ can then either warn developers of a policy violation or block a build entirely; with the Nexus Firewall option, offending libraries can be quarantined for review, and then black-listed or white-listed based on your choice.
