News

Sonatype Updates Lifecycle Tools with Intelligent JavaScript

• By John K. Waters
• March 5, 2020

Sonatype this week announced the availability of an enhanced suite of JavaScript intelligence capabilities designed to provide developers with improved accuracy, increased policy control and faster remediation of open source vulnerabilities across the software development lifecycle (SDLC).

The new capabilities are enabled by a new, proprietary JavaScript scanning algorithm that involves both manifest scanning and file scanning. By taking the aggregate of this data, it can produce extremely accurate vulnerability reports with higher fidelity, the company said. These highly accurate reports can be easily understood and acted upon by developers, reducing friction, improving security hygiene and accelerating innovation.

The use and availability of open source components continues to grow exponentially across the world's 11 million active JavaScript developers (according to the TIOBE Index). According to npm (the company that hosts and maintains Node.js, the npm Registry and the command line client that allows devs to install and publish those packages), there are more than 1.2 million open source JavaScript packages with over 17 billion downloads per week from its repository. According to Sonatype's 2019 State of the Software Supply Chain report, 51 percent of JavaScript packages downloaded had a known vulnerability. 

"The exponential growth in use of npm packages shows no signs of slowing and our aim is to ensure JavaScript developers have access to the highest quality components to build with," said Brian Fox, CTO of Sonatype, in a statement. "With our new algorithm and revolutionary developer experiences delivered through free and premium tools, we're simplifying the entire process. It's now easier than ever for JavaScript developers to accurately identify and fix known vulnerabilities." 

Sonatype bills itself as "the company that scales DevOps through open source governance and software supply chain automation." It is best-known for its Nexus repository manager, which is designed to allow users to proxy, collect and manage dependencies, rather than "juggling a collection of JARs," making it easier to distribute their software. The Nexus platform enables DevOps teams and developers to integrate security automatically at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance.

With this latest capability enhancement, Sonatype customers now have the ability to automatically update npm packages and their dependencies within an application when a policy violation is discovered. Sonatype's Nexus Lifecycle evaluates known vulnerabilities, package licenses and other architectural attributes, and immediately creates a pull request in GitHub when there is a newer or better version available in the public repository.

For developers who are just getting started with open source vulnerability scanning, Sonatype offers a free tool to non-Sonatype customers called AuditJS, which allows users to scan a JavaScript project with a few lines of code. Designed as a native JavaScript tool, it is specifically calibrated for ease of use, the company says. It can be installed with npm, and it will help any developer to "further shift security left." The tool also integrates into Nexus Lifecycle and can be used in tandem with the Lifecycle CLI scanner.