OSS Index Updates

Enhancements to OSSI with Breaking Changes

Hi there,

We’re excited to augment OSS Index with some of our enterprise data that’s historically only been available to paying customers.. For those users interested in gaining access to our full enterprise data set, plus end-to-end open source governance and component defense to block malicious open source, check out our full Nexus platform.

What this means for you?

  1. OSSI will be updated faster. With the rapid growth of software supply chain attacks exploiting open source vulnerabilities, speed to remediate is becoming increasingly critical. Now that OSS Index uses our enterprise data, data for OSS Index users will be updated as quickly as for our commercial customers.
  2. OSSI will be more accurate. OSS Index will provide not just public vulnerability data, but also some of our proprietary data generated by our 65+ person research team and our Nexus Intelligence engine. This curation means you’ll see fewer false positives and more accurate component identification.
  3. OSSI will know about more vulnerabilities. Sonatype’s research team is often first to identify vulnerable and malicious open source components, and OSS Index will now contain vulnerabilities even before they are publicly confirmed.

What are the breaking changes?

We’ve worked hard to find ways to avoid causing any downstream issues but have ultimately come to the conclusion that they are unavoidable.

  1. IDs will change. If you have stored any vulnerability IDs locally or used them to “ignore” a vulnerability that information will be lost.
  2. Some ecosystems will no longer be supported.As part of this change we will be dropping support for Drupal, Debian, Chocolatey, Alpine, Bower and Go Dep. Note: Go Mod will continue to be supported and we encourage all OSS Index users to upgrade to newer Go Mod modules.

When will this happen?

  1. May 23: OSS Index will start using the new data pipeline and you will see the improvements listed above.
  2. August 1: Support for ecosystems mentioned above will be dropped and Ahab will be sunsetted.
Given that support for Go Dep packages will be dropped on August 1, we encourage all OSS Index users to upgrade to newer Go Mod modules.

I have concerns, who should I contact?

Please email ossindex@sonatype.org and someone from Sonatype will get back to you.

Many Thanks,



Joseph Stephens
(Senior Product Manager - OSS Index & Sonatype Lift)