It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central and what the philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
17. @spoole167
Image source: Blind men and an elephant,
https://en.wikipedia.org/w/index.php?title=Blind_men_and_an_elephant&oldid=1085926226 (last visited May 8, 2022).
Maven Central outgrew it’s origins
20. @spoole167
Statistics as of
6 May 2022
component versions
stored in …
79k
27TB
8.8m
… of files representing
approximately …
… namespaces /
organizations /
publishers
Central
by the
Numbers
24. @spoole167
Central
by the
Numbers
$£€
But it’s
what we do
In the end running a service like
Maven Central is expensive
Our roots and our business makes it
a core value to keep Maven Central
a vibrant, useful and safe place
28. @spoole167
@spoole167
Proof of domain ownership
Helps reduce malware ending up in the repository
org.apache.logging.log4j:999.999.999
org.apache.logging.logj4:2.18
org.apaceh.logging.log4j
29. @spoole167
@spoole167
Proof of domain ownership
Helps reduce malware ending up in the repository
org.apache.logging.log4j:999.999.999
org.apache.logging.logj4:2.18
org.apaceh.logging.log4j
Typo-squatting
Dependency confusion
Typo-squatting
30. @spoole167
@spoole167
Proof of domain ownership
Helps reduce malware ending up in the repository
org.apache.logging.log4j:999.999.999
org.apache.logging.logj4:2.18
org.apaceh.logging.log4j
Defeated
Defeated
Allowed
31. @spoole167
@spoole167
Proof of domain ownership
Helps reduce malware ending up in the repository
org.apache.logging.log4j:999.999.999
org.apache.logging.logj4:2.18
org.apaceh.logging.log4j
Defeated
Defeated
Allowed
33. @spoole167
@spoole167
Everything else is hard
Does the new package contain vulnerabilities?
How do you figure that out?
Do you stop code being published?
Does the new package contain active malware?
How do you figure that out?
Do you stop code being published?
How do you make sure consumers know what they getting?
35. @spoole167
@spoole167
For Maven Central
Finding out about vulnerabilities
before you select a version is
straightforward
Accuracy depends on the quality of
the scanning tools , the skills of the
research team and the skills of the
bad guys.
All are always getting better
40. @spoole167
@spoole167
Cyber Attacks are rising in number and
sophistication
Nation states are preparing for the next war – and that all about
software
The aim is to infiltrate infrastructure and essential services…
42. @spoole167
@spoole167
The field of battle
Typo-squatting
Dependency Confusion
Vulnerability exploitation
Vulnerability research
Build System compromised
Tools compromised
Open Source project compromise
Maven Central is
evolving to give you
more insight and
better defenses
43. @spoole167
@spoole167
The field of battle
Typo-squatting
Dependency Confusion
Vulnerability exploitation
Vulnerability research
Build System compromised
Tools compromised
Open Source project compromise
45. @spoole167
More ..
SBOM support across the
lifecycle
SIG store support
Cross industry best practices
Enhanced Developer Intelligence Your input please
52. @spoole167
Want to help?
Sign up for Beta access to the Portal:
https://central-beta.sonatype.org
Reach out to me
@spoole167
https://www.linkedin.com/in/noregressions/
Keep an eye open for a more formal request