[walterbell]

It's mostly for Java components. SonaType also backports security fixes into older components that are still widely deployed, but receiving less attention from upstream devs.

From a 2012 article, http://allthingsd.com/20120710/sonatype-manager-of-grown-up-..., Sonatype runs something called the Central Repository, essentially a library of some 400,000 software components that is so widely used by software developers that it gets about five billion requests a year. That gives it a lot of visibility into what components are being used, and what potential problems might be cropping up. Simply keeping track of what software components were used to build an application goes a long way toward solving problems as they arise down the road."

Edit: better article on the GS funding, https://www.washingtonpost.com/business/capitalbusiness/md-b...

“Imagine a situation where Toyota let their line workers make all the decisions about which suppliers to use without any governance or oversight; imagine what cars would be like,” he said. “All the cars would be really hard to maintain and an orderly recall would be next to impossible ... Some of the company’s larger customers pay Sonatype hundreds of thousands of dollars annually, Jackson says, and a few pay close to $1 million.