Application Health Check FAQ

Application Health Check

Note: No source or binary code is ever exposed, uploaded, or sent to Sonatype.

What does Application Health Check do?

In minutes you'll analyze your application and uncover potential security, licensing, and quality problems.

The Summary report you will receive provides a snapshot of the number of components found, as well as the number and types of risks, if any. The Detailed, Full Report provides a specific inventory of components and associated risks, coordinates, etc. See a sample of the full, detailed report.

The report can be used to not only evaluate your own internal applications, but also check the quality of the code received from third party vendors.

How does Application Health Check work, and what information is sent to Sonatype?

Application Health Check uses short hashes for component identification. In order to best protect your intellectual property, only these limited signatures of your application's components will be exchanged with the Sonatype Data Service -- i.e. no source or binary code is ever exposed, uploaded, or sent to Sonatype. These component signatures are then matched against a database of security, quality, and licensing information in order to generate your comprehensive Application Health Check report.

Here’s an example of what the information transmitted to Sonatype looks like:

  <item key="013b4d333e95f3a5ac765fc2a3ab05e9f29d7952"

The security, safety, and anonymity of your data is our greatest concern, and we take the necessary steps to ensure that.

What types of Applications can I evaluate?

Application Health Check currently supports evaluating Java applications (the binary, not the source), which contain Java components/artifacts. In addition to the standard jar, war and ear file types, Application Health Check will also analyze these additional file extensions: aar, har, hpi, mar, nbm, rar, sar, tar, tar.bz2, tar.gz, tb2, tbz, tgz, wsr, zip.

How can I identify my proprietary (internally developed) components?

Listing your proprietary packages allows you to specify which components are unique to your organization. By doing this, we will use this information to identify these components in the report as proprietary, helping you focus on external components.

In this field, simply enter the prefix for your package namespace. For example, com.mycompany, which will mark everything found in the path of com/mycompany as a proprietary component. If you wish to enter multiple packages, separate these by a comma or new line break.

Note: These components will still be evaluated and matched accordingly.

How do I use Application Health Check?

Evaluating an application is pretty easy, but sometimes can be a little confusing at first.

The most important thing: make sure you are evaluating something that is a Java application (the binary, not the source). Sometimes people try to use a variety of files just to test or try something out. That makes sense, but it won't produce any results. If you want to test out this tool, try one of these sample files first.

Once you are ready to analyze an application, you will be asked for the following information:

  • Email Address: The email address entered here is where we will send a link for your report. It will also serve as your user name for accessing the report.
  • File to Evaluate: Select a Java Application archive to evaluate. This will typically be a war or zip containing other wars or jars. Run Application Health Check on your binary archive and we'll send you a report with details about the components you're using.
  • Name for Report: Choose a name for your report, such as your application name so you can keep track of analyses conducted for more than one application. If you don't provide a report name, we'll just use the name of the file you selected.
  • Password: A password is required to help prevent unwanted access to your report. If you have forgotten your password, you can contact our support team for further assistance, or simply re-evaluate your application.
  • Proxy Server Settings (optional): Application Health Check uses https to communicate with the Sonatype Data Service. If you need to connect through a proxy to browse the web, enter those details here.
  • Proprietary Packages (optional): Use this field to give Application Health Check information about what Java packages are proprietary. We will use this information to identify these components in the report, which will help you focus on external components. The values in this box are compared against the Java packages of the components being evaluated. If we find a match, then the component will be flagged as proprietary. In the event you wish to enter multiple packages, separate these by a comma or hard return.


Need help understanding your report?

Please visit our web page, Guide to Understanding the Application Health Check, which includes a sample report and helpful definitions, a video tour of a sample report from our head of product management, plus a detailed guide to the policies that drive the analyses in case you need that level of information.

Who is Sonatype?

The Application Health Check is a free community service offered by Sonatype. We have a long history of support for the open source community as the stewards of the Central (Maven) Repository, providers of the world-leading Nexus Repository Manager and Component Lifecycle Management. Learn more at our web site:

Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk