It’s just there. Just like the stars, just like electricity, just like Java. In the Java world Maven, central is the most important single service. You can get Java SDKs and even container images from various vendors, but Java code comes from only one place: Maven central. Maven central is so reliable that it’s understandable that we all take it for granted.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world, there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background into the history of Maven central, explain why Sonatype, who are the stewards of Maven Central, provide such a critical service and what our philosophy is for dealing with problematic content. We’ll also explore how the service works under the covers, the APIs you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
2. @Jamie_Lee_C
@Jamie_Lee_C
Introduction
About me
Name: Jamie Lee Coleman
Current Role: Developer Advocate @ Sonatype
Past experience: Developer in Mainframe Software (CICS), WebSphere & OpenJ9 @
IBM
Twitter: @Jamie_Lee_C
Linked-In: https://www.linkedin.com/in/jamie-coleman/
7. @Jamie_Lee_C
Benefits of FOSS
Personal control and
customizability (4 main
FOSS freedoms)
Study
Copy
Modify
Redistribute
Privacy and Security*
Use community to find bugs
quickly
Low or no costs
Software is free with optional
licencing
Quality, collaboration and
efficiency
Many people and
organizations working together
Performance can be much
better due to the amount of
people contributing
Project development can
become more agile and
efficient
25. @Jamie_Lee_C
Image source: Blind men and an elephant,
https://en.wikipedia.org/w/index.php?title=Blind_men_and_an_elephant&oldid=1085926226 (last visited May 8, 2022).
Maven Central outgrew it’s origins
30. @Jamie_Lee_C
Statistics as of
6 May 2022
component versions
stored in …
79k
27TB
8.8m
… of files representing
approximately …
… namespaces /
organizations /
publishers
Central
by the
Numbers
33. @Jamie_Lee_C
• Java (Maven) Through the first 7
months of 2023, 512 billion Java
components were requested from
the Maven Cen - tral Repository. This
is a significant jump compared to the
821 billion requests in 2022. Java
continues to grow at a healthy pace,
hitting an estimated 25% YoY
request growth rate. If previous years
are any indication, we may well see a
spike towards the end of the year
Maven
Central
Growth
34. @Jamie_Lee_C
Central
by the
Numbers
$£€
But it’s
what we do
In the end running a service like
Maven Central is expensive
Our roots and our business makes it
a core value to keep Maven Central
a vibrant, useful and safe place
38. @Jamie_Lee_C
@Jamie_Lee_C
Proof of domain ownership
Helps reduce malware ending up in the repository
org.apache.logging.log4j:999.999.999
org.apache.logging.logj4:2.18
org.apaceh.logging.log4j
39. @Jamie_Lee_C
@Jamie_Lee_C
Proof of domain ownership
Helps reduce malware ending up in the repository
org.apache.logging.log4j:999.999.999
org.apache.logging.logj4:2.18
org.apaceh.logging.log4j
Typo-squatting
Dependency confusion
Typo-squatting
40. @Jamie_Lee_C
@Jamie_Lee_C
Proof of domain ownership
Helps reduce malware ending up in the repository
org.apache.logging.log4j:999.999.999
org.apache.logging.logj4:2.18
org.apaceh.logging.log4j
Defeated
Defeated
Allowed
42. @Jamie_Lee_C
@Jamie_Lee_C
Everything else is hard
Does the new package contain vulnerabilities?
How do you figure that out?
Do you stop code being published?
Does the new package contain active malware?
How do you figure that out?
Do you stop code being published?
How do you make sure consumers know what they getting?
44. @Jamie_Lee_C
@Jamie_Lee_C
For Maven Central
Finding out about vulnerabilities
before you select a version is
straightforward
Accuracy depends on the quality of
the scanning tools , the skills of the
research team and the skills of the
bad guys.
All are always getting better
49. @Jamie_Lee_C
Cyber Crime Facts
In 2016 Cybercrime surpassed the
drug trade!
$450 Billion a year
$14,000 a second
Equivalent to 50 US Nimitz Class
Aircraft carriers
52. @Jamie_Lee_C
If Cybercrime was a country by GDP in 2022
United States: $25.46 trillion
China: $17.93 trillion
Cyber Crime: $6 trillion+
Japan: $4.23 trillion
Germany: $4.07 trillion
India: $3.38 trillion
United Kingdom: $3.07 trillion
France: $2.78 trillion
63. @Jamie_Lee_C
@Jamie_Lee_C
Cyber Attacks are rising in number and
sophistication
Nation states are preparing for the next war – and that all about
software
The aim is to infiltrate infrastructure and essential services…
65. @Jamie_Lee_C
@Jamie_Lee_C
The field of battle
Typo-squatting
Dependency Confusion
Vulnerability exploitation
Vulnerability research
Build System compromised
Tools compromised
Open Source project compromise
66. @Jamie_Lee_C
@Jamie_Lee_C
The field of battle
Typo-squatting
Dependency Confusion
Vulnerability exploitation
Vulnerability research
Build System compromised
Tools compromised
Open Source project compromise
Maven Central is
evolving to give you
more insight and
better defenses
68. @Jamie_Lee_C
More ..
SBOM support across the
lifecycle
SIG store support
Cross industry best practices
Enhanced Developer Intelligence Your input please