sdecoret - stock.adobe.com
Security against open source software vulnerabilities and license issues demands the attention of development team leaders. And team leaders demand scanning tools to deal with those concerns.
Open source security scanning fits within a larger category of the software development lifecycle (SDLC) in which developers bear responsibility for security and quality. Tools that offer artifact management, based in a SDLC process such as DevSecOps, are more useful than those that only scan code.
In this open source security scanning tools face-off, we assess two strong competitors with unique advantages: Sonatype Nexus vs. JFrog.
Why open source vulnerability scanners are helpful
Open source security scanning identifies code that is vulnerable to hacks. When open source vulnerabilities are discovered, they're not immediately eliminated, because it's not always easy to implement patches. As a result, developers who use open source code can introduce known vulnerabilities to their projects. Open source security scanners are meant to find those security bugs. These scans can also uncover governance issues, such as conflicts in usage and open source license restrictions.
Organizations that follow DevSecOps approaches to the SDLC rely on artifact repositories. Artifacts are every record or code parcel generated in a project, including the project's code, scripts, files and documents. Both Sonatype and JFrog adhere to this artifact-centric approach, expanding on the traditional concept of code repositories.
Customer views on these two products vary quite a bit. Users' expectations of open source vulnerabilities range widely. And customers' thoughts on the products change as vendors add more features. Since both JFrog and Sonatype users apply the vulnerability scanning tools within their respective SDLC frameworks, it's difficult to compare scanning capabilities in isolation, without including the rest of the product packages.
Compare the product lines
Both Sonatype and JFrog frame their open source security scanning strategies in the broader context of an SDLC rapid development framework. Sonatype prioritizes automation, while JFrog centers on swift code delivery.
The products have similar security scanning processes. Each tool analyzes defined policies and checks code against a set of online repositories of problems. The scanning process is recursive; a vulnerable low-level element will reflect on any higher-level packages that include it, up to the application and project levels. Users see the issues the tools find, and the hierarchies those issues affect, in the GUI. Both JFrog and Sonatype also can generate alerts for violations, which in turn can trigger specific actions.
Sonatype's Nexus platform enables teams to universally manage artifact libraries. Nexus harmonizes project management and code management, to accelerate development. The Nexus platform includes several tools:
- Nexus Firewall, which automatically scans open source software against user-defined rules;
- Nexus Lifecycle, to reinforce policies and remediate security issues throughout the SDLC;
- Nexus Repository, a tool to manage libraries, artifacts and release candidates;
- Nexus Lifecycle Foundation, to assess risk at the CI and deployment stages;
- Nexus Auditor, for continuous assessment of open source software components within production applications; and
- Nexus Intelligence, which combines analysis from AI and researchers to provide vulnerability findings about application components and configurations.
JFrog divides its artifact-repository and scanning offering into three main product areas:
- JFrog Artifactory, the central repository that holds all project components;
- JFrog Container Registry, which holds all necessary information to support containerized development and deployment; and
- JFrog Xray, the open source vulnerability and license compliance scanner.
JFrog also offers products such as Pipelines, Distribution and Mission Control for fully integrated DevSecOps and release management. JFrog supports popular vulnerability libraries and makes them a default in the setup. Companies with limited technical staffing for development projects especially rely on this feature.
Sonatype released Nexus Firewall amidst an influx of open source security scanning competitors. The vendor highlights that Nexus Firewall can also protect JFrog Artifactory installations -- an interesting wrinkle in this Sonatype Nexus vs. JFrog face-off. But there's no clear user view on whether Nexus Firewall works better than the native Xray for that purpose.
How each open source security scanner works
Nexus Firewall scans libraries and repositories for open source components with known vulnerabilities. The tool's knowledge of vulnerabilities comes from both external industry libraries and internally defined policies. Nexus Firewall includes two modes:
- Audit. This mode warns development or QA management about vulnerabilities discovered by the scan.
- Quarantine. This more restrictive approach blocks developers from using open source code with known vulnerabilities. Quarantine provides absolute assurance that developers won't break governance with a code fault that's buried in a third-party component.
Nexus Firewall creates a perimeter around an organization's open source usage. The product lets users define policies to find things like open source license use violations and also to make exceptions to Audit or Quarantine warnings. Nexus Firewall scans code written in major programming languages, and -- with add-ons like Jira -- enables users to track and take action on vulnerabilities.
Sonatype describes the focus of Nexus Firewall on its product page: "You create the rules. We'll help you enforce them." Many users like the explicit Quarantine mode, and the notion that Nexus Firewall builds a perimeter -- a familiar cybersecurity concept. Firewall fits in well with Sonatype's overall SDLC approach too.
JFrog's Xray scans for both regulatory issues and vulnerabilities as well. JFrog tightly links Xray to its Artifactory repository, which provides metadata the tool uses to parse linkages between code components, libraries, production applications and projects. Xray can perform scans akin to Sonatype's Audit and Quarantine modes, based on user policies; these are not distinct product settings. The product also assists with remediation of discovered issues.
Xray provides sophisticated policy and alert controls, which can apply to issues in external libraries or internally identified conditions. A user can assign an alert to a component simply when it doesn't perform as desired, such as too heavy a CPU load. The alert enables other organizations to learn about the problem, even if it is not severe enough to classify as a vulnerability. Be careful when you manage the alert-based approach of JFrog, as it's possible to leave holes in the perimeter by defining violation handling wrong.
Another positive for Xray is video training from JFrog. Users say the training can teach someone with no exposure to any of JFrog's products to perform a successful full deployment. Many users who encounter open source governance and security issues are new to the problem. It will take some experience with JFrog's suite to build skills and confidence, but the educational resources get them onboarded quickly.
The SDLC is key to compare Sonatype and JFrog
When you consider just open source governance and security scanning, JFrog Xray has the edge over Sonatype Nexus. Xray has policy management capabilities and users can set remediation steps granularly, from warnings through installation-wide interdiction. With this combination, the tool offers flexible and accessible governance. Xray can also be dumbed down easily to fit within the limits of smaller organizations, or those not as reliant on third-party open libraries and components.
But consider Sonatype's and JFrog's overall packages to make a judgment on open source scanning supremacy within the context of the SDLC. Customers of both products typically use them as integrated platforms rather than as individual tools to adopt and integrate at will. Without full SDLC support to improve security and governance efficiency and to systematize vulnerability management, the overhead involved with scanning code seems excessive to many users.
Security and compliance scanning must be part of the process wherein developers introduce code and libraries into the project. This task is impossible without an architected and repository-centric development and deployment plan. You can't assemble a security- and compliance-friendly development process from pieces, because the way you build code determines how and where you apply governance. If you have a need for open source scanning, you have a need for an SDLC framework and tools to sustain it.
Sonatype Nexus puts the library and repository at the center of an ecosystem. Users can go with Sonatype's default repository or, with some effort, import one of their own. JFrog caters to its own Artifactory repository, rather than supporting user imports. Thus, Sonatype offers broader flexibility in the user experience. However, JFrog seems to be gaining ground with its features.
To adequately compare Sonatype Nexus vs. JFrog, consider your software's actual exposure to open source issues. Some companies get open source elements as part of a library set from a provider, like IBM Red Hat. If most of your open source libraries come from a source that precertifies and bundles the code into fixed releases, security vulnerabilities and license issues are far less likely to bite you than if you're picking code yourself. Installation-specific governance is a relevant focus for software teams working with precertified open source code. In this circumstance, JFrog's Xray seems like the better option. Likewise, for organizations with limited development resources, the tool is a good choice.
JFrog also integrates more easily with DevOps and deployment tools than Sonatype's line, and the product seems to have a more container-centric approach to code governance overall. Some users say JFrog moves faster to support new requirements too. These factors all lead to growing interest in JFrog's overall platform among enterprise customers.
Which open source security tool you should choose
For open source security and compliance scanning, JFrog's Xray is the winner of this tool comparison. Similarly, JFrog beats Sonatype when it comes to repository management to support security and compliance overall.
Enterprise users appreciate that JFrog provides a REST API, and they like the tool's integrations with other development and deployment products more than Sonatype's. Users also like the fact that more features are commercially supported rather than community supported. Positives include the educational material, full commercial support and the ease of getting a basic implementation up and running. Xray's detailed control of policies and ability to deal with positives in the scan, such as ignoring or escalating the issue, enable rapid application development processes.
To get the most out of Sonatype or JFrog, buy into the chosen vendor's repository-and-artifact management scheme. Security scanning of binaries doesn't do enough for code quality, regardless of the scanner's features. Organizations should control their library and package sources, and limit how developers can introduce outside code.
Open source software usage is growing, and JFrog already fits best for organizations coping with the challenges it brings.