Sonatype will enable the update in early 2020. In order to receive the updated results, you must be on a version of IQ Server 76+. If you have not upgraded to the latest scanner, your results will continue to show results as they are currently matched.
How does this change benefit my organization?
What is the impact of these improvements on my organization?
- Enhanced scanning and matching approach that includes package.json files alongside the file scan to identify more exact known versions and names of a component.
- A combination of several matching approaches, including file hash-based matching, with the addition of using package.json metadata as a strong hint of what to match to. This is an advantage over simpler solutions as you will still get the benefits of features like our fine-grained, file-level vulnerability data.
- Updated copy-modules-webpackplugin.
What are the proactive measures to help prepare for the update?
Since all application scans occurring on or after Monday, January 6th, 2020 will receive the new results, here are a few recommendations on how best to prepare:
Ensure you have the IQ Server bundle for release 76 or newer and the most recent versions of the plugin available.
Be sure to include the package.json files of all npm-installed dependencies when configuring your insight scanner client.
Ensure you use newer versions of scanner clients:
Sonatype CLM for Maven plugin: 2.15.0-01
Read our full technical documentation, here.
How has remediating policy violations and applying waivers changed?
If waivers were formerly applied to your results, they will have to be re-applied as the hash is now different, identifying a “new” (NPM) component. This requires re-applying the waiver.
Where can I ask additional questions?
You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.