The EDF Group and Sonatype Lifecycle

Électricité de France is one of the world’s largest generators of electricity. With 37.6 million customer accounts worldwide, 154, 845 employees and 71.2 billion Euros annual revenue, EDF is reinventing the products and services it offers to help residential customers manage their electricity consumption. The CAP 2030 project aims to significantly increase renewable energy production by 2030 by providing customized and decentralized energy solutions.

The purpose of the eDF Group Engineering Team is to normalize and facilitate a scalable, repeatable build process. This framework is used to to create new personalized management products and services for their customers. The eDF Group uses Sonatype Nexus Repository, and Sonatype Lifecycle as part of their DevOps tool set to create these new technologies.

“The biggest advantage of using Sonatype Lifecycle is to be able to report to our project team what specific libraries are used within our applications. We have immediate visibility into security issues.”

OLIVIER ROUTIER
Head of CI DevOps Engineering

The Challenge: Monitoring and Assessing Open Source License Liability at Scale

Prior to using Sonatype to manage, track and monitor package downloads, there was no scalable way to determine the potential liability associated with licenses for open source components used across the company.

The Engineering Management Team became concerned with the licensing issues raised by the use of open source components. Their initial process was to manually report use of new components to the information security team who would then have to evaluate potential risks. This process did not scale and was not adequate to keep pace with the volume of open source components being consumed in development. The extended duration of manual approval processes became bottlenecks to releasing software into production. In some instances, this meant that applications requiring analysis were not being shared with the information security teams.

"We have over 40 applications in production," explained Olivier Routier, head of CI for the DevOps Engineering team. Olivier is responsible for the integration of Sonatype Nexus Repository Manager within the DevOps pipeline. Sonatype Nexus is used to facilitate project builds and to map the libraries within the EDF SI. "There was little to no visibility into the libraries used within a project before we found Sonatype Nexus."

Retrospective manual security practices were in place during downstream information exchange sessions between the security and development teams, but there was little visibility into the application projects after deployment. “Manual processes don’t have the ability to track and monitor open source and third-party libraries within that many applications,” explained Olivier.

The major challenge the engineering team wanted to overcome was how get visibility into open source component usage within their applications.

The Solution: Integrating Sonatype Lifecycle into a Continuous DevOps Pipeline

The engineering team at the eDF Group was responsible for adding Sonatype Lifecycle into their build process. The team now used Sonatype Lifecycle integrated with Eclipse, SonarQube, and Jenkins. They also integrated Ansible and OpenShift to create a continuous DevOps pipeline. The eDF Group started using Sonatype Lifecycle with a small group of users after meeting Sonatype at several industry conferences and then inviting us to map out the possibilities. A key feature in eDF's decision to use Sonatype Lifecycle was its integration with Jenkins.

The first step of getting approval for using Sonatype Lifecycle was getting the security team buy-in. “If you want to create a DevOps process within your company, you must integrate your security team. With DevOps, there’s a lot of change in our processes as a result of applying more automation,” says Olivier. “A good relationship with the security team is an important one. “ 

He worked closely with the security team to demonstrate the value of the reports within Sonatype Lifecycle, showing the ease of creation and the accuracy of the output. “With Lifecycle you can see the transitive dependencies. Using it for the first time was like opening a wonderful gift,” Olivier said while shaking his head. "Not only is the tracking and monitoring automated, you also have the ability to launch the process manually and analyze a specific package as needed."

Olivier performed tests on what information Lifecycle was bringing back to verify the accuracy of the data. The first thing the team did was run their WebLogic server binary through Lifecycle to match top-level information from a previous security report with recommendations on what to patch. The data from theLifecycle reports was far superior than the results delivered from the previous process.

Sonatype Lifecycle's dashboard reporting empowered the developers and project teams to know what was in the libraries that were used to build the applications. The high quality of the data available in the reports encouraged the security team to "use their own budget for it on other projects.”

The Outcome: Rapidly Choose a Safe Version of an Open Source Component with Confidence

Because of the reliability of information coming out of Sonatype Lifecycle, the eDF project team can rapidly choose a safe version of a component, confident with their knowledge of known security and license issues. They can then track and monitor the use of those components early and everywhere through their development and deployment lifecycle.

“The biggest advantage of using Lifecycle is to be able to report to our project team what specific libraries are used within our applications, with the security issues or license risks associated with those libraries. We have immediate visibility into any component that is out of compliance with our policies. That’s why we chose Lifecycle. We automatically track and monitor libraries as part of our development process. Now, we’re expanding the use of Sonatype outside our DevOps teams and projects.”

When asked if he would recommend Sonatype Lifecycle, Olivier’s response is telling. “Yes. Your product is great. I can say this, because I use it.”