Impact of Improved JavaScript Reporting

For IQ Server release 50 and above we have enacted improvements to our JavaScript reporting, the impacts of which are discussed here.

Existing Component Policy Waivers/Labels and Security Vulnerability Overrides

Existing configurations of:

to individual JavaScript files will not be carried over to aggregated JavaScript components and instead will need to be reapplied. This will hold even for an aggregated JavaScript component that only consists of one JavaScript file.

This improvement will allow remediation efforts to be applied to entire JavaScript components associated with multiple JavaScript files rather than just one JavaScript file at a time.

Reduced Overlapping Matches

The same JavaScript file can be matched to several different ecosystems. For example, a JavaScript file from the package jquery version 3.0.0 can be associated to multiple components with different formats. In addition to aggregating JavaScript files, overlapping matches will also be removed.

Policy Violations, Security Issues, and License Threats

Due to these changes you may observe a different number of Policy Violations, Security Issues, and License Threats for the following reasons:

  1. Since existing Component-specific Policy Waivers and Security Vulnerability Overrides will need to be reapplied, until this is done it may increase the number of Policy Violations and Security Vulnerabilities.
  2. Since existing Component Labels will need to be reapplied, which may be tied to specific Policies, this may also alter the number of Policy Violations.
  3. The aggregation of JavaScript files and removal of overlapping matches may decrease the overall number of JavaScript components (the noise) resulting in a decreased number of Policy Violations, Security Issues, and License Threats.

Additionally, if there are differences, then the corresponding Summary statistics will also differ.

One consequence to keep in mind of the potentially different Policy Violations is that you may see an increased number of unsuccessful builds. Due to this you may want to disable the Fail action on Policies for the Build stage until you have reapplied your component Policy Waivers/Labels and Security Vulnerability Overrides. Additionally, you may also want to enable Notifications on your Policies to be able to more easily spot Policy Violations that have appeared due to these changes.

Example Application Report Before and After

For this example we look at the JavaScript package hawk version 4.0.0.

Policy Violations

Before these changes, each unique identified JavaScript file is represented by one row i.e.

After these changes, one row will be able to represent a multitude of these files i.e.

Here all of the JavaScript files have been aggregated to the same JavaScript component and are listed on the Occurrences tab within the Component Information Panel.

Security Issues

An aggregate JavaScript component will retain all unique Security Vulnerabilities belonging to its aggregated JavaScript files.

In this example, two JavaScript files share the same Security Vulnerability, so before these changes we would see

and after these changes they are aggregated to the same JavaScript component, and so that Security Vulnerability is only displayed once for it i.e.

License Analysis

In this example, the number of unique components remains the same, and so the number of rows on the License Analysis tab is unaltered.

Filename

A JavaScript component may be associated with multiple JavaScript files after these changes and so the Filename column is now obsolete and omitted from the Application Report.