JavaScript Data Enhancements


#1

Summary

Sonatype is pleased to announce significant improvements to our JavaScript support including: increased coverage, enhanced identification, and precision of results.

We plan to enable the update on June 25th, 2018. We first wanted to inform you of the pending changes as they will impact current JavaScript report results. Once available, application scans will automatically pull the enhanced data.

How does this change benefit my organization?

Users will have access to JavaScript results that include 40% increase in coverage, enhanced identification, and improved accuracy.

What is the impact of these improvements to my organization?

You will see enhancements in existing reports containing JavaScript findings. These are a result of:

  • A previously unknown JavaScript file is now identified. This new identification could contain metadata (e.g. a security vulnerability) that violates a policy. Since this file was previously unknown, there would have been no policy violation prior to the update.

  • A previously misidentified JavaScript file is now accurately identified. Changes in metadata (e.g. a security vulnerability, license type, etc.) could result in an increase or decrease in policy violations.

IMPORTANT NOTE: When new policy violations are triggered, any enforcement actions (warn/fail) configured to that policy will also be triggered. For example, if a “Fail” action is configured for the Build Stage, developer builds will fail.

What are the proactive measures to help prepare for the update?

Since all application scans occurring on or after June 25th, 2018 will receive the new results, here are a few recommendations on how best to prepare:

  • Communicate these JavaScript improvements to your developers.

  • Consider disabling enforcement actions across your policies to provide each team sufficient time to assess the new findings prior to failing a development stage.

  • Since this update includes both expanded coverage of new data and enhanced accuracy of existing data, it will be difficult to compare the new report to an old one. For a list of the new policy violations, resulting from the update, simply configure policy notifications. Since notifications only include new violations, this approach will ensure the recipient will receive a notification that lists each of the new policy violations for a given application resulting from the update.

  • Export a snapshot of the Dashboard View Application Tab to provide high level comparison following the update. To increase the filter to include more than 100 applications in the export, refer to this KB Article.

  • For background on how Sonatype tackles the complexities of the JavaScript ecosystem, check out our Mapping the JavaScript Genome for DevOps blog post. This will provide context for the results displayed in the Application Report.

Can I reevaluate all applications at once?

In the case where applications are built infrequently, resulting in a time gap between scans, it may be beneficial to initiate a “Reevaluate” of applications from the Administrator port.

This will first require Continuous Monitoring is configured for all applications in scope.

You can then trigger continuous monitoring to manually run immediately by issuing the following request to the IQ Servers administrative port (default is 8071):

$ curl -X POST http://localhost:8071/tasks/triggerPolicyMonitor

The following response will indicate it is complete: Completed manual Policy Monitor execution

You will need access to the administrative port used for IT debugging and operations, not the usual IQ Server administrator role.

IMPORTANT NOTE: The IQ Server may experience a temporary performance impact in cases where Reevaluate is triggered across a large number of applications. We advise planning this for a period of downtime or decreased developer activity.

How often does Sonatype provide these data updates?

Utilizing a combination of automated and in-depth manual research, Sonatype Data Research provides continuous updates made immediately available to all IQ Server instances through Sonatype Data Services.

Given the complexities, when necessary, Sonatype will provide significant updates outside of the aforementioned continuous process. In these exceptional cases, we take care to inform you by providing an explanation of the update, sufficient lead time to communicate across your organization, and proactive guidance on how best to prepare.

JavaScript data updates will continue. You can read more about our Data Research to better understand the processes and technology that enable the continuous updates.

What other JavaScript enhancements are planned?

In May, we announced upcoming improvements to the display of JavaScript results in the Application Report. You can read more about those improvements here. Stay tuned for more information!

Where can I ask additional questions?

You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.


#2