Note: No source or binary code is ever exposed, uploaded, or sent to Sonatype.
In minutes you'll analyze your application and uncover potential security, licensing, and quality problems.
The Summary report you will receive provides a snapshot of the number of components found, as well as the number and types of risks, if any. The Detailed, Full Report provides a specific inventory of components and associated risks, coordinates, etc. See a sample of the full, detailed report.
The report can be used to not only evaluate your own internal applications, but also check the quality of the code received from third party vendors.
Application Health Check uses short hashes for component identification. In order to fully protect your intellectual property, only these limited signatures of your application's components will be exchanged with the Sonatype Data Service -- i.e. no source or binary code is ever exposed, uploaded, or sent to Sonatype. These component signatures are then matched against a database of security, quality, and licensing information in order to generate your comprehensive Application Health Check report.
Here’s an example of what the information transmitted to Sonatype looks like:
<item key="013b4d333e95f3a5ac765fc2a3ab05e9f29d7952" path="ch/qos/logback/core/util/Loader.class" sha1="6cdbcfa9150af71c7b6b3adfbbc1e1e940f9413e" sha1JA001="2f9768f33c106400ae23863165643d167a25e8ba" sha1JB001="878d54d1c132ddeee47ec7ebd9cefbd8b31cb5ac" sha1JC001="f65040a6798ab66c56ce0ef163195454a68c5921" sha1JD001="4f093c9bd65a0e6d233171b3362109ab5b372235"/>
The security, safety, and anonymity of your data is our greatest concern, and we take the necessary steps to ensure that, including requiring an ID and password to access your confidential data.
Application Health Check currently supports evaluating Java applications (the binary, not the source), which contain Java components/artifacts. In addition to the standard jar, war and ear file types, Application Health Check will also analyze these additional file extensions: aar, har, hpi, mar, nbm, rar, sar, tar, tar.bz2, tar.gz, tb2, tbz, tgz, wsr, zip.
Listing your proprietary packages allows you to specify which components are unique to your organization. By doing this, we will use this information to identify these components in the report as proprietary, helping you focus on external components.
In the Proprietary Packages field, simply enter the prefix for your package namespace. For example, com.mycompany, which will mark everything found in the path of com/mycompany as a proprietary component. If you wish to enter multiple packages, separate these by a comma or new line break.
Note: These components will still be evaluated and matched accordingly.
Evaluating an application is pretty easy, but sometimes can be a little confusing at first.
The most important thing: make sure you are evaluating something that is a Java application (the binary, not the source). Sometimes people try to use a variety of files just to test or try something out. That makes sense, but it won't produce any results. If you want to test out this tool, try one of these sample files first.Once you are ready to analyze an application, you will be asked for the following information:
Please visit our web page, Guide to Understanding the Application Health Check, which includes a sample report and detailed definitions of the data presented in much of the report.
The Application Health Check is a free community service offered by Sonatype. We have a long history of support for the open source community as the stewards of the Central (Maven) Repository, providers of Nexus, the world's most popular repository manager, and Nexus Lifecycle. Learn more at www.Sonatype.com