Supply chain security has emerged as a new market driver for security vendors in the three years since the Solarwinds hack. While there is some overlap between vendors, the market space is new enough to support a number of ways to market, including:
- Ensuring imported (typically open source) code is free from threats
- Ensuring the integrity and security of all built software artifacts
- Ensuring that deployed software presents no known threats to systems and users
Given the growing threat of software supply chain attacks, as well as the wide scope of the software supply chain, both new entrants and traditional security vendors have thrown their hat in the ring. However, it can be difficult for organizations to determine the real value of vendor claims.
As a result, ActiveState has been creating Buyers Guides to help software organizations understand the value offered by software supply chain security vendors, including the comparison between Sonatype and ActiveState presented here.
Sonatype vs ActiveState Supply Chain Security Comparison
Sonatype is a traditional security vendor with a large market presence and a reputation for best-in-class security capabilities. It’s key product is the Sonatype Platform, which includes the following major components:
- Sonatype Nexus – a binary repository
- Sonatype Firewall – an AI-based filter that detects and quarantines suspect packages
- Sonatype Lifecycle – Software Composition Analysis (SCA) tool that also generates SBOMs
By deploying each of these components on premise or in the cloud, you can:
- Block malicious open source packages from entering your binary repository
- Monitor open source packages over time for vulnerabilities
- Evaluate security, license, and operational risk
ActiveState is a traditional open source vendor with a large market presence in the Fortune 1000 and a reputation for providing secure open source languages. It’s key product is the ActiveState Platform, which functions as a package and environment manager and features:
- A vetted repository of open source source code
- A hardened build service that automatically builds open source packages on demand and outputs secure, reproducible runtime environments
- A binary repository for securely built Python wheels
By using the ActiveState Platform, you can:
- Ensure all open source components your project requires are securely built from source code, including OS-native binaries
- Monitor open source packages over time for vulnerabilities
- Evaluate security, license and operational risk
Sonatype vs ActiveState SCA Capabilities
Both platforms provide Software Composition Analysis (SCA) capabilities. SCA tools identify the open source software in a codebase with the goal of highlighting security issues, license compliance and code quality.
Sonatype provides their own scans and vulnerability analyses on millions of components daily, which means they can spot vulnerabilities before they’re officially reported in public databases. They also generate a safety rating denoting how likely a component is to contain a vulnerability. These features are primarily found in Sonatype’s Lifecycle product, which provides the following SCA capabilities:
- Security Policies – flags dependencies based on user-defined criteria such as CVSS score, threat level, datedness, etc.
- Vulnerability Detection – vulnerability scores are sourced from multiple sources and expressed in terms of a severity rating, which indicates how much of a danger the vulnerability may present.
- Reachability – can perform call flow analysis to estimate whether the vulnerable method is actually being called by the proprietary software.
- Datedness – flags older components based on policy, and indicates age of component.
- Dependency Health Rating – expressed in terms of a confidence rating based on OpenSSF’s scorecard.
- Compliance – identifies each open source dependency’s license(s). Can use policy to automatically flag violations.
- Malware Detection – employs AI and policy to scan and manage imported dependencies, including the ability to quarantine suspicious components.
Lifecycle’s SCA information can be surfaced in the browser, as well as a developer’s IDE and the CI/CD pipeline.
ActiveState provides similar SCA capabilities to Sonatype Lifecycle, as well as some key differentiators:
-
- Vulnerability Detection – provides a runtime environment vulnerability profile, downloadable report, and also notifies owners of vulnerable components in their project.
- Datedness – indicates most recent and all previous versions of a dependency, as well as their vulnerability status.
- Compliance – dependency license metadata is available via ActiveState’s Software Bill Of Materials (SBOM) capabilities.
- Remediation – automatically rebuilds the runtime environment based on a patch or newer version of a vulnerable dependency.
- Prioritization – vulnerabilities can be viewed per project by severity, surfacing which threat is most prevalent in the organization.
- Malware Detection – scans imported open source code and quarantines suspicious components.
ActiveState’s SCA information can be surfaced in both the Web GUI and CLI.
While both solutions allow security owners to achieve their goals, Sonatype comes with a higher Total Cost of Ownership (TCO) since it requires the purchase of multiple products, including Nexus to store the dependencies, Lifecycle for SCA, and an Advanced Legal Pack for license identification. However, this Sonatype “bundle” provides a number of key advantages over ActiveState’s “one size fits all” platform, including firewalling, package scoring and policy governance for many more open source languages than ActiveState currently supports.
Advantage: Sonatype
Sonatype vs ActiveState SBOM Capabilities
Software Bill Of Materials (SBOMs) are an emerging requirement for software customers who can use them to quickly identify vulnerabilities in the software they deploy across their extended enterprise. SBOM functionality can also be used in the software development process wherever code changes are made in order to verify that no new components have been introduced prior to the change, as well as to generate a new SBOM post-change.
The SCA capabilities of both Sonatype and ActiveState provide all the information required to create an SBOM, which only needs to be assembled in an industry standard format.
To create an SBOM with Sonatype, you’ll need to run a scan with Sonatype Lifecycle and generate a report via the CLI, API or UI. The report results can then be exported as either a CycloneDX or SDPX SBOM.
Sonatype SBOM capabilities:
- Analyze all components in your application
- Gather identity, vulnerability and legal data of found components
- Compare the data against governance policies to generate a report
- Export a report as either an SPDX or CycloneDX SBOM in JSON or XML format
ActiveState currently generates SPDX SBOMs, and provides users with a complete software asset catalog for their Python, Perl, Ruby and Tcl environments. While this is fewer formats/languages than Sonatype supports, it also includes two languages Sonatype does not currently support.
The ActiveState Platform automatically builds runtime environments securely from source code on demand, and generates an SBOM as an artifact of the process to provide insight into the software supply chain from which the environment was built. SBOMs can be manually generated at any time for any runtime environment, or programmatically created via the GraphQL API.
ActiveState SBOM capabilities:
- Analyze all components used in the build and runtime processes
- Gather identity, vulnerability, and legal data of found components
- Generate an SPDX SBOM in JSON or SPDX format
Unlike Sonatype, ActiveState vendors all dependencies (including OS-native C/C++, Fortran and other low-level libraries) in order to build everything from source code. As a result, Activestate generates a complete and accurate SBOM that includes not only all runtime components, but also all build time dependencies, as well. A compromised build time component may compromise any artifact it creates, which may not become apparent until too late.
Advantage: ActiveState
Sonatype vs ActiveState Binary Repository Capabilities
Nexus is Sonatype’s flagship product, and a market-leading artifact repository with mature capabilities. By comparison, ActiveState offers binary repository capabilities as a convenience to customers that need to share individual Python wheels. As such, the two are not really comparable except in their ability to control which artifacts get shared to which users.
A better way to compare both offerings is to examine the way they work to support both individual packages (Sonatype), as well as built environments (ActiveState):
| ActiveState | Sonatype | |
| Supported languages | Python, Perl, Ruby, Tcl, as well as C/C++ | Java, .NET, JavaScript, Ruby, Go, PHP, C/C++, R |
| Supported Formats | Exe, gzip, pkg | Apt, bower, CocoaPods, conda, docker, helm, p2, yum, raw |
| Layout/Organization | Hierarchically by organization and then runtime environment | Hierarchically by organization and then application |
| Search-ability | Via the UI by package name or Via the API by package name, attributes, version & checksum |
Via the UI and API by package name, attributes, version & checksum |
| API | GraphQL-based; provides programmatic access to all artifacts used in and generated by the build process | REST-based; provides programmatic access to most Nexus, Firewall & Lifecycle functionality |
| Command Line Interface (CLI) | State Tool | Nexus3 (for interacting with Nexus)Nexus IQ CLI (for interacting with Lifecycle) |
| CI/CD integration | Supports most CI/CD systems; promotes/uploads a prebuilt runtime environment | Supports most CI/CD systems; promotes/bulk uploads all artifacts for an application |
| GitHub integration | Import open source from GitHub repos | Scan for vulnerabilities |
| Retention/Cleanup | Assumes permanent retention, but allows manual deletion. | Scheduled cleanup tasks filtered by time, downloads, and release type. |
| Auth | Social Login (GitHub) | LDAP, Atlassian Crowd, SAML and RUT |
| User Groups & Roles | Assign roles | Assign roles with privileges |
| Storage | AWS S3 | AWS S3 and local |
| Extensibility | N/A | Plugin marketplace |
| Package Import Controls | Quarantine | Firewall and quarantine |
| Import Prebuilt Packages/ Binaries | Few sources; 100’s of thousands of components ingested | 100’s of sources; millions of components ingested |
| Import Source Code | Y | N |
| Vulnerability Scanning | Y | Y |
| Malware Scanning | Y | Y |
| Dependency Health Scoring | N | Y |
| Automated Remediation | Y | N |
| Package License Identification | Y | Y |
| Policy Controls | N | Y |
| Policy Enforcement | N | Y |
| IDE Integration | Y | Y |
| Integrated Secure Build Process | Y | N |
| Pricing | Starts at $1K/yr | Starts at $5K/yr |
Advantage: Sonatype
Conclusions – Integrating Sonatype and ActiveState
While both Sonatype and ActiveState can help you secure your software supply chain, they approach the problem from decidedly different angles:
- ActiveState works with dependency source code, effectively vendoring your dependencies in order to automatically build them securely from vetted source code on your behalf, and then helps you keep those dependencies up-to-date and free of vulnerabilities.
- Sonatype works with prebuilt dependencies, allowing you to create and enforce policies to ensure they remain in compliance with your organization’s guidelines, as well as free from vulnerabilities.
In this respect, the two solutions are more complementary than competitive. By deploying both solutions together you can gain the best of both worlds:
- ActiveState dependencies built securely from source code
- Sonatype Nexus for dependency access management, while enforcing policies to ensure governance.
For example, you might consider populating Nexus with ActiveState-built Python wheels in order to ensure that your SCA tools are always working against a complete dependency tree that has been securely built from source.
Next Steps:
Listen to how ActiveState can populate artifact repositories with binary components securely built from source code.
