Microsoft’s Sonar, released last week under an open source license, could help developers build more effective and secure websites.
Sonar, a linting tool and site scanner, is the next evolution of the static scan tool, according to Microsoft.
The team that developed Microsoft’s Edge browser created Sonar as a better way for website maintainers to check performance and security issues. It searches out potential interoperability, performance, security and progressive Web app-related problems.
Finding website problems is half of what Sonar does. The other half is suggesting possible solutions.
Ease of Use
Microsoft first created a static scan tool within its Web browser in 2013 to detect optimizations for old versions of Internet Explorer, missing prefixes and outdated libraries. The updated version can execute website code. It has a modernized set of rules, capable of parallel test execution and integration with other services.
“Sonar will ease the adoption of Microsoft’s tooling and Azure for the community,” said Akshay Aggarwal, CEO of
PeachTech and COO of
Deja Vu Security.
However, “it is unlikely to move the needle on security significantly,” he told LinuxInsider.
Sonar combines existing technologies to address pressing security issues for Web developers. The innovation is in ease of use, as well as its integration capabilities with Microsoft’s developer tools and platform, he said.
What It Does
Sonar follows the trend of security tools being integrated with development according to the tenets of the DevSecOps movement, Aggarwal noted. Businesses can leverage Sonar without significant security programs to perform baseline assessments for security and to identify components with known vulnerabilities.
Microsoft donated Sonar to the
JS Foundation this past summer. The
Sonar Project code is available on Github.
The scanner tool is available as an open source Web service hosted by Microsoft and as a command-line (CLI) tool. The CLI functionality lets users integrate the tool directly into a website’s URL.
The service is deployed on top of Azure using Docker containers that can scan any publicly available website, said Antón Molleda, senior program manager for Microsoft Edge.
Sonar’s rules are backed by a collection of best practices for the Web. Links provide detailed documentation that keeps growing with each new rule built into the scanner, he explained.
How It Works
Sonar is a big improvement over previous scanners, according to Molleda. Among its advantages are the ability to execute website code instead of performing static analysis; a better set of rules; parallel test execution; and integration with other services.
Its completely open source code base is another benefit for continued development by the Sonar Project community.
Upcoming features under development:
- A plug-in for Visual Studio Code;
- Configuration customization options for the online service;
- New rules for performance, accessibility, security, progressive Web apps and more.
The Sonar project is designed with a set of guiding principles that put the user at the center, build for the community’s best interests, and support collaboration with existing tools and services, according to Molleda.
Sonar can be beneficial to just about every single website. But a developer or web designer must translate the analysis and take necessary actions, noted David Rosenthal, VP of digital business technology solutions at
“In other words, I do not see it as necessary for your ‘non- customized GoDaddy WordPress site,'” he told LinuxInsider, but it is “absolutely valuable for larger and more complex websites with programming, third-party extensions,” and other tech features to manage.