Summary
In July, we asked for your feedback on your experience with JavaScript and reporting within IQ. Based on that feedback, Sonatype is pleased to announce significant enhancements to our JavaScript support that will increase the precision of reporting for JavaScript policy violations and vulnerabilities within Nexus Lifecycle. New component matches will come from NPM and will complement our current method of JavaScript matching, incorporating more data to increase the accuracy of results so you to take more decisive actions.
Sonatype will enable the update on Thursday, February 27, 2020. In order to receive the updated results, you must be on a version of IQ Server 76+. If you have not upgraded to the latest scanner, your results will continue to show results as they are currently matched.
We first wanted to inform you of the pending changes as they will impact current JavaScript report results. While there will be no changes to the UI or general look and feel of the reports, you can expect to see more refined JavaScript results.
How does this change benefit my organization?
Users will experience improved accuracy of JavaScript components and versions listed in their reports, as well as improved clarity of a build and what is included. Improved accuracy can also allow for faster remediation due to increased clarity on violations and remediation recommendations for embedded dependencies.
What is the impact of these improvements on my organization?
You will see enhancements in existing reports containing JavaScript findings. These are a result of:
- Enhanced scanning and matching approach that includes package.json files alongside the file scan to identify more exact known versions and names of a component.
- A combination of several matching approaches, including file hash-based matching, with the addition of using package.json metadata as a strong hint of what to match to. This is an advantage over simpler solutions as you will still get the benefits of features like our fine-grained, file-level vulnerability data.
- Updated copy-modules-webpackplugin.
IMPORTANT NOTE: These enhanced results will be prioritized over our current matching method. However, any unidentified JavaScript files found within an application or in the event that no package.json files are included will fall back-on our current method of matching.
What are the proactive measures to help prepare for the update?
Since all application scans occurring on or after Thursday, February 27th, 2020 will receive the new results, here are a few recommendations on how best to prepare:
-
Ensure you have the IQ Server bundle for release 76 or newer and the most recent versions of the plugin available.
-
Communicate these JavaScript improvements to your developers.
-
The Sonatype team recommends you use the copy-modules-webpack-plugin for projects using Webpack. This lets you isolate the JavaScript files that are being included in your application bundle. (When using this plugin, be sure to enable the new includePackageJsons configuration option.)
-
Be sure to include the package.json files of all npm-installed dependencies when configuring your insight scanner client.
-
Ensure you use newer versions of scanner clients:
-
Sonatype CLM for Maven plugin: 2.15.0-01
- IQ Server release 76
- IQ CLI release 76
- Nexus IQ for Bamboo: 1.14.2-01
- Nexus Platform Plugin for Jenkins: 3.8.20191127-111424.5d61f82
-
Read our full guide on scanning Javascript in IQ Server, here.
How has remediating policy violations and applying waivers changed?
If waivers were formerly applied to your results, they will have to be re-applied as the hash is now different, identifying a “new” (NPM) component. This requires re-applying the waiver.
Remediating risk found in your JavaScript applications follows the same path as any other violations found with an IQ Server scan. For further help with remediation, please see our Getting Started with IQ Server Remediation guide and video series.
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.
Additional Resources
- May 2018 improvements to the display of JavaScript results in the Application Report. You can read more about those improvements.