Author Archives: Ilkka Turunen

Deserialization - Featured Image

The Latest Victim of Deserialization-Gate

The Latest Victim of Deserialization-Gate

Last week the world was hit with what can be awarded the Vulnerability Of The Day for Java – the commons-collections deserialization vulnerability. The latest victim of the continued series of vulnerabilities comes from the Spring project with an implicating class that allows the same unsafe deserialisation vector in the spring-core. What makes this issue particularly

Author, Ilkka Turunen

Nexus and SSL

For updates on articles and resources, follow @TSWAlliance on Twitter Today’s topic comes from an interesting conversation I had with a customer about SSL certificates that can be used to secure Nexus and serve it via HTTPS. Though HTTPS should be the cornerstone in securing any web service, I thought it useful to answer small

3 Things from the VW Scandal - Featured Image

3 Things Developers Can Learn from the Scandal at VW

Over the past few weeks, I have been following the scandal involving Volkswagen. Most of us have learned that VW installed so called “cheating software” in their diesel cars, which in conjunction with the anti-lock brakes and traction control system enables a cheat mode when their diesel cars were tested for emissions. Current estimates place

Author, Ilkka Turunen

Automating Nexus Deployment: Cookbooks, Modules and Playbooks

The first article in this two part series, Automating Nexus Management: Using the REST API in Nexus 2.x, examined the resources available for developers who want to use the Nexus 2.x REST API. In this installment we’ll focus on how to deploy Nexus itself using various cookbooks and modules for provisioning tools. Are there any

Author, Ilkka Turunen

Using the REST API in Nexus 2.x

I’ve recently received a few questions asking how the deployment of Nexus can be automated as much as is possible by using configuration management tools such as Chef, Puppet, Saltstack, Docker, etc. This is common in a scenario where you may want to set up multiple Nexuses with defined repository structures and pre-installed license keys.

Author, Ilkka Turunen

How to Detect and Enforce Open Source Licenses

I received this question from a client today: Right now we are using Nexus OSS. We are considering upgrading to Nexus Pro for two reasons: We need to control licences of our dependencies – with Maven it’s too easy to add dependencies We need to track updates of our dependencies Nexus Repository Health Check seems

Author, Ilkka Turunen

Understanding Open Source Copyleft Licensing Flags

I recently received a question from a client who had run an Application Health Check. They wished to understand why we highlight certain licenses in the health check report: Regarding the ‘License-Copyleft’ – some libraries have e.g. a LGPL license and a CDDL/GPL license: Using the LGPL license shouldn’t be a problem in my opinion

Author, Ilkka Turunen

Healthcheck Features in Nexus Pro / Nexus Auditor

Question of the Day I’ve downloaded the Nexus Pro Trial, focusing on the procured repository function. We want to check open source components for license and security status. Can this be achieved with Nexus Pro alone? If so, what benefit is added by Nexus Audit? Answer from Ilkka Nexus Pro Both of these points can be

CI Server HA - 520

High Availability (HA) and Continuous Integration (CI) with Nexus OSS

Interesting question from a client: “How can I do HA with Nexus OSS? Our CI Server has hundreds of projects writing to our nexus instance at a  fixed time (e.g. 9pm). We would like to ensure that the Nexus server can cope with this load. How do I ensure nexus stays performant?” Nexus 2 OSS

Author, Ilkka Turunen

How to turn on audit logging in Nexus

A client called today to ask what kinds of  Nexus logs they can follow and how they can turn on user auditing. To  turn on audit logging, follow this guide: https://support.sonatype.com/entries/24056287 ( Nexus 2.8 + section) The output can either be seen in in the User interface under Administration -> Logging or in $NEXUS_WORKDIR/logs/nexus.log Another log to tail

Top