News and Notes from the Makers of Nexus | Sonatype Blog

Sonatype Rolls Out Enhanced JavaScript Scanning, npm Automated Pull Requests & More Free JS Developer Tools

Written by Kevin Miller | March 03, 2020

We’ve recently rolled out enhanced support for JavaScript that provides developers with improved accuracy, increased policy control, and faster remediation of open source vulnerabilities across the entire software development lifecycle.

Our enhancements for JavaScript give developers less noise when finding vulnerabilities, allow for better automation, more ways to scan, and better recommendations on remediating violations.

The use and availability of open source JS components have exploded in recent years across the world with over 11 million JavaScript developers now actively writing code . According to npm , the go-to JavaScript repository, there are more than 1.2 million open source Javascript packages, with over 17 billion downloads per week. That’s a lot of downloads. But are they safe? Sonatype’s 2019 State of the Software Supply Report reported that 51% of JavaScript packages downloaded had a known vulnerability.

Enhanced Algorithm, Expanded Coverage and Noise Reduction Across the Nexus Platform

Sonatype’s new, proprietary JavaScript scanning algorithm involves both manifest scanning and file scanning. We now use multiple identification methods to ensure that we identify JS components in the most precise way while displaying the results in a format that is more logical and easier to remediate any known policy issues. By taking the aggregate of this data, we are able to produce extremely accurate vulnerability reports, with a much higher fidelity that reduces the noise of false-positive. Our goal is to help developers move quickly, with more accurate information, to remediate known vulnerabilities faster.

npm Automated Pull Requests for GitHub

We’re also employing automation where we can to speed up your processes. Nexus users now have the ability to automatically update npm packages and their dependencies when a policy violation is discovered. Sonatype’s Nexus Lifecycle evaluates known vulnerabilities, package licenses, and other architectural attributes, and immediately creates a pull request in GitHub when there is a newer or better version available based on an organization’s policy.

This addition underscores our company’s goal of shifting security left, putting more tools in the hands of developers to save time and simplify their experience. Developers are able to push quality control of their application development to a source control platform, where they work every day and can easily collaborate via code reviews, commits, and pull requests.

Using this type of early feedback and automation, we reduce rework and keep development teams focused on contributing business value rather than managing application component risk.

AuditJS, a Free Developer Tool to Scan JavaScript Projects for Vulnerabilities

And don’t worry, we haven’t forgotten about the larger OSS community. Sonatype’s free AuditJS allows anyone to scan a JavaScript project with a few simple lines of code. No need to configure the CLI or download a JVM. Designed as a native JavaScript tool, it can be installed with npm and to help any JS developer search for and remediate vulnerable components.

For free users, AuditJS uses OSS Index, a free database that will identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities. For existing Sonatype customers, AuditJS integrates directly into Nexus Lifecycle, using the highly curated Nexus Intelligence data and immediately identifying policy violations as defined by your organization.

Watch the video demo below to see how to use the new npm automated pull requests and see AuditJS in action.