Sonatype Latest Press Releases & News | Sonatype

Nexus Intelligence Shines a Light on Hidden JS Vulnerabilities | Sonatype

Written by Brian Fox | August 29, 2018

Solution Identifies Previously Unknown JavaScript Vulnerabilities Across Multiple Ecosystems, and Further Protects Nexus Customers

Fulton, MD – August 29, 2018 -- Today, Sonatype, the leader in automated open source governance, announced that it has deployed an updated version of Nexus Intelligence with enhanced JavaScript intelligence capabilities. Using patented Advanced Binary Fingerprinting (ABF) technology to identify JavaScript vulnerabilities lurking inside of multiple open source ecosystems, Nexus is the world’s first open source governance solution capable of uncovering malicious pieces of JavaScript code, which no other technology can identify.

The use, and availability, of JavaScript components continues to grow exponentially. According to npm in August 2018, JavaScript package downloads reached 6 billion per week from its repository. Further, developers are regularly adding JavaScript components within other ecosystems like Java, PyPI, and Ruby. Using ABF, Sonatype has mapped more than 260 million JavaScript files into a single database, that identifies not only vulnerabilities across JavaScript repositories like npm, but more importantly, across all ecosystems

“Due to the unstructured nature of the JavaScript ecosystem, alternative technologies are simply incapable of identifying “hidden” JavaScript components,” said Brian Fox, CTO and Cofounder of Sonatype. “Without Nexus, organizations are unable to discern when manually embedded or modified JavaScript has been added, leaving companies with a false sense of protection, and increasingly vulnerable to attacks, and unwanted litigation from licensing issues.”

Further, this latest version of the Nexus Platform includes a streamlined experience making it easier for developers to analyze, and remediate, JavaScript vulnerabilities.

Additional Resources:

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, and Goldman Sachs. Learn more at www.sonatype.com.