Sonatype Rolls Out Enhanced JavaScript Scanning, npm Automated Pull Requests & More Free JS Developer Tools
We’ve recently rolled out enhanced support for JavaScript that provides developers with improved accuracy, increased policy control, and faster remediation of open source vulnerabilities across the entire software development lifecycle.
Our enhancements for JavaScript give developers less noise when finding vulnerabilities, allow for better automation, more ways to scan, and better recommendations on remediating violations.
The use and availability of open source JS components have exploded in recent years across the world with over 11 million JavaScript developers now actively writing code. According to npm, the go-to JavaScript repository, there are more than 1.2 million open source Javascript packages, with over 17 billion downloads per week. That’s a lot of downloads. But are they safe? Sonatype’s 2019 State of the Software Supply Report reported that 51% of JavaScript packages downloaded had a known vulnerability.
Enhanced Algorithm, Expanded Coverage and Noise Reduction Across the Nexus Platform
Sonatype’s new, proprietary JavaScript scanning algorithm involves both manifest scanning and file scanning. We now use multiple identification methods to ensure that we identify JS components in the most precise way while displaying the results in a format that is more logical and easier to remediate any known policy issues. By taking the aggregate of this data, we are able to produce extremely accurate vulnerability reports, with a much higher fidelity that reduces the noise of false-positive. Our goal is to help developers move quickly, with more accurate information, to remediate known vulnerabilities faster.
npm Automated Pull Requests for GitHub
We’re also employing automation where we can to speed up your processes. Nexus users now have the ability to automatically update npm packages and their dependencies when a policy violation is discovered. Sonatype’s Nexus Lifecycle evaluates known vulnerabilities, package licenses, and other architectural attributes, and immediately creates a pull request in GitHub when (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Kevin Miller. Read the original post at: https://blog.sonatype.com/sonatype-rolls-out-enhanced-javascript-scanning-npm-automated-pull-requests-more-free-developer-tools
