Open Source

Microsoft's open source sonar tool helps developers find security flaws in their websites

Sonar aims to make web development easier by offering accessibility, performance, and security improvements, according to Microsoft.

On Wednesday, Microsoft announced a new, open source linting tool and site scanner that offers developers an easier way to search their sites for errors and security flaws. The tool, called sonar, is "the next evolution of the static scan tool," according to a blog post from Antón Molleda, senior program manager of Microsoft Edge.

Sonar represents an update to Microsoft's modern.IE scanner used to detect optimizations for old versions of Internet Explorer, outdated libraries, and missing prefixes.

Compared to previous scanners, sonar includes improvements such as execution of website code rather than static analysis, a more flexible, modern set of rules, parallel test execution, integration with other services, and a completely open source code base, Molleda wrote. Developers can also use sonar as a command line tool (CLI), that can be integrated directly into local web development workflows.

"Web development is more than HTML, JavaScript, and CSS: developers are expected to have a grasp of accessibility, performance, security, emerging standards, and more, all while refreshing this knowledge every few months as the web evolves," Molleda wrote.

SEE: Hiring kit: JavaScript developer (Tech Pro Research)

Microsoft created a set of guiding principles for sonar before creating the tool, according to the post. These include putting the user at the center—sonar not only tells developers when it spots an error, it also tells them why.

"It is important to know the reason for an issue so developers can decide if that really applies to their work," Molleda wrote. "The requirements from website to website can change a lot―for example, an intranet website and an online shopping experience will have vastly different needs." With that being the case, Microsoft set out to make sonar easy to use, configure, and expand.

Beyond open sourcing the code, Microsoft donated the project to the JS Foundation over the summer to make it more accessible to all.

Microsoft intended for sonar to "avoid reinventing the wheel," Molleda wrote, instead tapping and integrating existing tools and services that help developers build for the web. With that being the case, sonar integrates with aXe Core, AMP validator, snyk.io, SSL Labs, and Cloudinary.

The tool could make a real difference for developers in terms of producing higher quality websites: A recent Northeastern University analysis of over 133,000 websites found that 37% had at least one JavaScript library with a known vulnerability. As ZDNet noted, Snyck also ran a scan of the top 5,000 URLs earlier this year, and found that more than 76% were running a JavaScript library with at least one vulnerability as well.

Sonar is now available as an open source online service, deployed on top of Azure using Docker containers.

Future releases will include features such as a plug-in for Visual Studio Code, configuration options for sonar, and new rules for areas such as performance, accessibility, security, and Progressive Web Apps.

Sonar currently supports jsdom, Chrome, and Edge 15. Firefox will likely be added to that list soon, according to the sonar website. Developers can also check out the sonarwhal GitHub organization.

The 3 big takeaways for TechRepublic readers

1. Microsoft's new, open source linting tool and site scanner sonar offers developers an easier way to scan their sites for errors and security flaws.

2. Sonar includes improvements over previous scanners such as execution of website code rather than static analysis, a more flexible, modern rules, parallel test execution, integration with other services, and a completely open source code base

3. Sonar is now available as an open source online service, deployed on top of Azure using Docker containers.

istock-832282452.jpg
Image: iStockphoto/scanrail

Also see

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox