[mimog]

Nexus isn't a source code repository. What you found was their internal artifact server, i.e compiled jar files.

[ollysb]

If you look inside those compiled jar files you'll find that the code is pretty easy to read. It's certainly enough to find vulnerabilities.

[mimog]

But.. that can be said about any java (jar) programs class files. It is also not difficult to decipher the asm of a disassembled exe file, but to equate that with finding the source code of the program would be disingenuous.

[tptacek]

Decompilation of executable C files is much less accurate and usable than decompilation of Java class files, which usually produce verbatim Java source code. I don't know if source was or wasn't directly disclosed here, but if they leaked vanilla Java class files, that's basically equivalent to their source code.

[phaed]

You can drag drop that jar file into http://jd.benow.ca/ and in two clicks you have 100% of the source code, variable names and all. It's not the same as decompiling an C executable by any means.

[mimog]

Having tested http://jd.benow.ca/ I must admit it seems to do a near perfect job. Impressive and scary at the same time.

[brown9-2]

Assuming they are building in Java, it's pretty common to publish source JARs to the repository along with the compiled classes.

[mimog]

I don't know of enough places that use Nexus to say whether it is common practice or not, however we do not bundle jar files with sources at my place of employment where we do use Nexus. If we wanted to bundle sources into jar that would have to be done so explicitly, as it would require something like mavens source plugin. In fact in maven the standard seems to be to include sources in a separate jar, if one wants to publish the sources i.e. again requiring explicit choice and configuration.