If you are a Java developer, it’s possible that you are familiar with the names Nexus and/or Artifactory as the de-facto standards in storing binary Java artifacts. These products have been around quite awhile and have solid corporate backing from Sonatype and JFrog respectively. As they and the software landscape have grown, they have built on top of their repository foundations to provide critical functionality to software delivery pipelines and teams.
Today I’m going to talk about some exciting features of these repositories and why they go far beyond simply storing software artifacts.
Central Artifact Hub
Both Artifactory and Nexus got their starts in the Java space, but they have each endeavored to become the central hub for storage of any and all software artifacts that your organization might need. As this role has grown, both repositories have added the desirable feature of not only storing your company’s artifacts, but also acting as a proxy to any third-party websites that also provide needed libraries. This creates two major benefits for your organization:
1) Developers and build systems go to ONE URL for any libraries they may need. This simplifies build scripts and makes URL monitoring easy for network administrators.
2) Artifacts from remote websites can be cached inside of the repository, vastly reducing the network load used when retrieving these artifacts on demand.
These benefits are great for network administrators who want to reduce network load while managing the many and various sources of libraries their organization may need.
Many types of repositories can be proxied as well. At the time of this writing, here are some of the libraries that are supported by the two repositories:
- Maven (Java)
- npm (NodeJS)
- NuGet (.NET)
- P2 (Eclipse)
- Gradle/Maven (Java)
- npm (NodeJS)
- NuGet (.NET)
- Vagrant (virtual machines)
- PyPI (Python)
As you can see, these two products have moved far beyond their Java roots.
Security & Compliance
After reading the last section, you may be thinking: “My security team will never let us ‘proxy the Internet'”! You’d certainly be right that it is a big responsibility to be the single source for so many external libraries. Luckily both Nexus and Artifactory have your security team covered!
One of the core features of both products is the ability to list known vulnerabilities of externally loaded artifacts and block these libraries from being available for download. This feature gives security teams the flexibility to decide which libraries are acceptable and which are too risky to use based on their security profile.
In addition to listing vulnerabilities, Nexus and Artifactory can also manage the variety of licenses that are part of using source code that is external to your organization. While it isn’t sexy, understanding and managing the licenses in your external software reduces your company’s risk of litigation due to license breach.
Code Modularity and Reuse
Versioning and availability of your artifacts can open new paths to practicing solid software architecture with decoupled components. Imagine that you have developed a killer logging module that you can see everyone on the team starting to adopt, if only they could get to it. How would you distribute it to them for use?
The clear answer is that you need a central place to store this artifact where others can reference it and obtain it easily. Both Nexus and Artifactory support a variety of build tools that allow you to simply specify your module as a dependency in the build file, and the build tool will do the heavy lifting of retrieving it from the repository.
This simple method of sharing versioned artifacts encourages team members to think about ways their code could be reused, because they now have a way to easily share it with other team members or teams.
Continuous Delivery Pipeline
If you think of your software as many components that are assembled to create a final software product, then you most likely understand the need for a software delivery pipeline. Similar to an assembly line, there are many artifacts that are completed at various stages and they need somewhere to be stored and recalled when needed for final assembly. Nexus and Artifactory provide this storage and recall to continuous integration servers that are responsible for automating the assembly of your software.
Utilizing Nexus or Artifactory in your software delivery pipeline provides you with full traceability of exactly what was built, at what stage, and how it reached its final destination. Most continuous integration servers like Jenkins https://jenkins-ci.org/ and TeamCity https://www.jetbrains.com/teamcity/ integrate very easily with Nexus and Artifactory so that you can push and pull artifacts into your build process while maintaining good audit controls and traceability.
You might have noticed in the “Central Artifact Hub” section above that both Nexus and Artifactory support the new techkid on the block, Docker. Docker is quickly rising as one of the hottest new trends in software development, and it is good to see that both repositories provide support for Docker images.
Supporting Docker images means that if you are already considering one of these products for another type of artifact, then you won’t have to stand up yet another repository just for Docker. Please keep in mind that this support is new and that Docker creates and manages its own registry API to which both Nexus and Artifactory need to conform. It is always a good idea to keep up with the release notes of these products to make sure that they fully support Docker’s registry API.
Artifact repositories have come a long way since the days of storing software artifacts on a shared drive. Today’s major repository offerings from Sonatype and JFrog offer a wealth of features to help your organization manage its diverse portfolio of internal and external libraries while remaining secure and compliant. They also promote solid coding practices and integration with continuous integration servers helping to drive automation of software delivery. Hopefully I’ve introduced you to why artifact repositories like Nexus and Artifactory have become so critical to my software delivery success.