snyk.io updates app.snyk.io/projects

New

We are excited to announce that Snyk Code is now available in Visual Studio as well! You can scan your first party code and enjoy the blazingly fast Snyk Code scans using Snyk’s Visual Studio extension. The Visual Studio extension is available for Windows and supports Visual Studio 2015, 2017, 2019 and with a separate extension the latest 2022 version.

You can easily install the Snyk extension by navigating to the marketplace or within the IDE itself just like any other Visual Studio extension. If you are using a previous version of the Snyk extension, Snyk Code is enabled through the extension settings.

For further details, please have a look at the product documentation.

If you have any issues, don't hesitate to reach out to support@snyk.io.

Starting from March 7, 2022, Snyk CLI will no longer support Node.js v10.

As a general security best practice, we recommend using runtime environments which are maintained and up-to-date. Node.js ended long-term support for Node.js v10 on April 2021. This means it has not been receiving bug fixes and security updates for close to a year.

What does this mean?

Starting from the date stated above, using Snyk CLI npm installations with Node.js v10, either locally or as part of an automated build pipeline might fail in unexpected ways.

If you are using our official integrations or binary installations of Snyk CLI you will not be affected and do not need to take any action.

What should you do?

If you are affected by this change, we recommend upgrading Node.js to the current stable version, which is Node.js v16 as of writing. We do not recommend upgrading to Node.js v17 as odd numbered versions are not considered stable.

Snyk is here to help! If you encounter any issues or have any questions, please reach out to support.

Improved

We have improved our Yarn support by automatically detecting and scanning Yarn workspaces, removing the need for multiple commands to be run! To get started simply grab our latest CLI version by running npm i -g snyk before scanning your projects 🎉

See our Snyk for Javascript docs for more information.

Improved

We’re pleased to announce an improved scanning of Java applications in Snyk Container, allowing developers to find vulnerabilities in nested and shaded jars within their images.

You can use one of the following to scan images using Snyk:

• Using the snyk container test/monitor --app-vulns command in the Snyk CLI
• Importing an image using a container registry
• Using the kubernetes integration When using one of the above, Snyk will find vulnerabilities in application dependencies from container images, as well as from operating systems.

For Java applications, Snyk also scans one level of nested jars (including shaded jars) by default.

For more information, check out Detecting application vulnerabilities in container images.

New

We have enhanced the Snyk CLI with a new snyk log4shell command that will give you more visibility into your application, including being able to find traces of the vulnerable library even if it’s not declared in the manifest file.

The new command looks inside .jar and .war files to find Log4j or its parts. “Fat JARs” are supported as well.

With snyk log4shell you can scan a Java project to see if it includes:

• any .jar files with the vulnerable version of Log4j.
• any files known to be present in the vulnerable Log4j library. Such findings indicate that the whole Log4j library may be included.

Note: The new command does not require (or support) any additional command-line arguments.

For more details of using this command, see Find Log4Shell vulnerabilities in your unmanaged and shaded jars with the Snyk CLI.

See our Snyk CLI docs for more information.

New

We have just released a new CLI version (v1.792.0), showing a special warning notification in the snyk test output when the log4j vulnerability is found, to maximize your teams' awareness for vulnerable Log4j projects.

This message includes a link to our Log4Shell remediation cheat sheet for additional info about remediation options.

We highly recommend to encourage your teams to upgrade the CLI to the latest version so they get this extra messaging.

New

Snyk can confirm that within 24 hours of publishing CVE-2021-44228 in our vulnerability database all services that compose Snyk’s Cloud Platform running Apache’s vulnerable Log4j library have been patched to the latest version. We have not detected any successful attempts at exploitation of this attack vector during that time window.

Snyk’s security response to events pertaining to the Log4j remote code execution vulnerability (RCE) is also strengthened by our defense in depth that leverages network-based firewalls, web application firewalls, anomaly detection with our platform environment, and is supplemented by our ongoing ISO/IEC 27001:2013 certification process and ISAE3402 SOC2 Type II annual report, available to customers on request.

Today customers can also leverage the Snyk Platform to understand what steps they can take to ensure their services are also secure from CVE-2021-44228 and much more.

New

On December 10, 2021, a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228, categorized as Critical with a CVSS score of 10 (the highest score possible).

All current versions of log4j2 up to 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.15.0 or later.

Many application frameworks in the Java ecosystem use this logging framework by default. For instance, Apache Struts 2, Apache Solr, and Apache Druid are all affected. Aside from those, Apache log4j is also used in many Spring and Spring Boot applications, so we suggest you check your applications and update them to the latest version.

Read more in our blog post: Log4j vulnerability disclosed: Prevent Log4Shell RCE by updating to version 2.15.0

Further reading: Find and fix Log4Shell quickly with Snyk

Improved

We would like to inform you about upcoming changes to how we provide security data and evaluate the severity of container vulnerabilities.

CentOS Linux and CentOS Stream Updates:

As part of a continual effort to improve our container security data, we are changing how we provide information regarding CentOS Linux 6, 7 & 8 and CentOS Stream 8 vulnerabilities. Prior to these changes, we only provided information about CentOS through Red Hat Security Advisories (RHSA), which are collections of fixed CVEs. We are moving from presenting issues via RHSA, and instead will present them based on the individual CVEs, both fixed and unfixed.

The following are some of the key features of this change:

• Enhanced accuracy: By showing individual CVEs instead of an RHSA, which may cover more than one CVE, you will have more details about each vulnerability that Snyk detects.
• Broader coverage: We will now show both fixed and unfixed CVEs, whereas the RHSA only shows fixed CVEs.
• Enriched metadata: Showing individual CVEs allows us to provide enriched vulnerability metadata on these CVEs, like Exploit Maturity, Social Trends and more.
• Red Hat’s security analysis: We will provide the severity of the issues as defined by the Red Hat Security Team, in addition to the severity determined by NVD, as part of the Relative Importance feature.

Important note: The number of issues will increase significantly as a result of the change, so you might see a change in the number of issues in the reports.

Red Hat CVSS score for Red Hat Enterprise Linux (RHEL) and CentOS:

For vulnerabilities that the Red Hat security team has evaluated and assigned a CVSS score, we are moving to use Red Hat's score as the default score we will present (when available) as it better reflects how a vulnerability affects their products.

Important note: There may be some changes to existing vulnerabilities in your projects, such as moving CVSS score from 5.6 to 8.8.

Debian, Alpine, and Ubuntu Severity Updates:

We improved the way we evaluate risk for Debian, Alpine and Ubuntu vulnerabilities, by creating a smarter logic for combining the Linux source severity data and NVD severity data. In this on-going process to enhance accuracy, we are updating the severity of selected vulnerabilities.

Important note: This means that there may be some changes to existing vulnerabilities in your projects, such as moving from Low severity to High severity.

The rollout of the aforementioned changes will start on December 15th. Once the new data will be available, the old data will not be available.

After the change, retesting of the project is required (either a manual test or scheduled scanning for monitored projects).

Open beta

We're pleased to announce the beta of C/C++ support in Snyk Open Source! 🎉

With this new support, you can scan your C/C++ projects using the Snyk CLI to identify known vulnerabilities in the open source code you are using to build your applications.

This is our first step towards supporting the scanning of unmanaged source code, without relying on package manifests. The snyk unmanaged test in the Snyk CLI scans your source code for included open source dependencies and reports their vulnerabilities.

Using the snyk unmanaged monitor command, you can import the information about your dependencies into Snyk UI for reporting purposes. These capabilities are available, in beta, across all of Snyk's paid plans: Team, Business, and Enterprise. To join the beta, please drop us a note at ccpp-beta@snyk.io so we can verify your specific use case is supported. More information about these capabilities and how to use them are available in our documentation.