Announcing Snyk-Powered Linting in Sonar

Tim Kadlec's avatar Tim Kadlec

We’re proud to announce that Snyk now powers the vulnerable JavaScript libraries linter in Sonar—an open-source linting tool for developers lead by a bunch of folks from Microsoft.

Earlier this year we ran a test on the top 5,000 URL’s on the web and found that 76.6% of them were running a JavaScript library with at least one known security vulnerability. It’s a frighteningly large number. Known vulnerabilities provide an easy attack vector—they’re well-documented and easy to discover at a mass scale. Keeping sites free of known vulnerabilities is critical to improving the overall state of security online.

That’s why we’re excited that some of the best auditing tools for developers have chosen to highlight this problem and, powered by Snyk’s vulnerability database, report on vulnerable libraries to all developers who use them! Embedding into these tools is key to raising developer awareness and making it seamless for developers to notice and understand the risk these vulnerabilities present.

Snyk and Sonar

Sonar started out as an internal project from inside the Microsoft Edge team, but they quickly realized they wanted it to be an open-source, community-driven project backed by the JS Foundation. Sonar lints your site against a number of different best practices and custom rules and gives you a report with the results so you know exactly what you need to improve.

Sonar provides many linting rules, including a Snyk-powered vulnerable JS libraries rule

One of the default audits is to check for the presence of JavaScript libraries with known vulnerabilities. For this, Sonar sees what libraries it can detect, and what versions are being used. Then it looks at Snyk’s client-side JavaScript vulnerabilities to see what vulnerabilities might be lurking about. Finally, it outputs the results in your report with links to the issues on Snyk so that you can dig into remediation steps.

Sonar started off as a command-line tool using the sonar npm module, but they’ve just launched their brand new online site scanner as well, to make it even easier to get quick information about the overall health of your site or application.

Security and Developers, Together

Sonar is a fantastic resource for developers, and we’re very excited to help out. Having a default linting rule in place to look for vulnerable front-end JavaScript libraries provides much more visibility into potential security issues, making it easier for developers to address them. With the results in hand, you can quickly jump over to Snyk to find out remediation steps and even fix the issues with an automated pull-request.

You’ll still have to monitor your back-end code for similar vulnerabilities, but exposing front-end vulnerabilities in the tools developers already use and love is a key step to making it as seamless as possible for developers to discover and prevent known vulnerabilites from impacting their site, and their users. We’ll be sheddin “light” on another way Snyk is going to make it easier for developers to discover vulnerable front-end JavaScript libraries tomorrow.

MIT, Apache 2 or BSD license: Who is the fairest of them all?

November 01, 2017

In this post we review and compare the Apache, BSD and MIT license to see what to use in your own project, and when.

Python 2 vs 3: Security Differences

October 10, 2017

Python 3 and Python 2 have various functional differences. On their own, they’re not necessarily better or worse (though arguably Python 3 should be an improvement), but any change may introduce risk. This post highlights and explains a few differences between the versions that have security implications.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications