Product Updates

We are pleased to announce the Broker improvement; Universal Broker!

The Universal Broker is an innovative improvement to the Broker, providing a more scalable, secure, and user-friendly platform to alleviate management of Snyk Broker deployments and connections.

Previously, Snyk customers encountered difficulties managing multiple broker connections, leading to configuration challenges and risks. Universal Broker simplifies this process by allowing customers to consolidate all system types into a single Broker instance. Additionally, by implementing authenticated clients and abstracting sensitive values from the user interface, Snyk reaffirms its commitment to security.

By safeguarding credentials and providing a more intuitive user experience, this update aims to enhance overall efficiency and security for our customers.

The Universal Broker is particularly beneficial for customers who prioritize Github Server App or find managing multiple broker clients cumbersome.

To learn more about Universal Broker check out the user docs here! For any questions, please contact your Snyk Support team.

We are pleased to announce that improved accuracy for Gradle projects imported via git integrations is now in Early Access 🙌

Gradle is a powerful build tool with complex configuration and dependency management features, which has traditionally meant the only way to get good SCA results is to scan in CI/CD pipelines.

With this Early Access release, you can now also reliably scan your Gradle applications simply by connecting Snyk to your git repositories.

This makes it easier to roll out at scale across your organisation, and to benefit from shift-left, developer friendly features such as pull request checks.

For more details on improved Gradle scanning, and how to get started, see our documentation.

We are pleased to announce the latest stable releases for each supported IDE plugin:

• Visual Studio Code v2.18.1

• JetBrains v2.9.0

• Eclipse 2.0.2

• Visual Studio 1.1.63

  (only VS 2022)

As part of these releases, we are happy to conclude the work announced previously:

• OAuth 2.0 authentication

• Severity change annotations

In addition to big features, these releases contain multiple bug fixes and performance improvements:

• Significantly improved JetBrains performance by moving business logic from the UI thread to the separate one on the background

• Unified and Improved rendering of IAC findings in all VSC and JetBrains

Snyk documentation has been updated with How-to pages about authentication. For example, JetBrains authentication

We encourage everyone to upgrade to the newest versions.

We are pleased to announce the latest stable Snyk CLI release v1.1293.0.

We are introducing the following new features in this version. To learn more about bug fixes, please reference the release notes.

Introducing OAuth by default for standalone installation

OAuth support has been available since v.1.1267.0 and from v.1.1293.0 onwards, Snyk CLI will authenticate a local user via OAuth by default. This change strengthens security and access controls, and can be used in both local development as well as where the CLI is integrated directly into CI/CD pipelines. See user docs for more information.

Improved environment configuration

Introducing a new config subcommand, the experience is now easier and more consistent to configure the environment used in the CLI. By default, the Snyk CLI connects to https://api.snyk.io/ and for users using regional hosting or on premise instances, it’s as simple as calling snyk config environment . For more information and to understand how this reduces the impact of misconfiguration, see the docs here.

Support for license issues and improved error details in SBOM test

We now support returning license issues in addition to vulnerabilities when using sbom test. When scanning a CycloneDX or SPDX SBOM, Snyk will detect the license for each component in the SBOM and return issues according to the defined or default license policy for your organization. In addition, we’ve made improvements to CLI errors returned when SBOMs cannot be processed by Snyk.

Improved SBOM generation for Container application dependencies

We have improved the accuracy of SBOM generation for Snyk Container. When using snyk container sbom, Snyk scans and generates an SBOM for operating system dependencies as well as application dependencies in your image by default. Prior to this improvement, there were limitations in the underlying analysis causing application dependencies to be omitted under certain conditions.

Enrich CLI results for IaC+ with successful items

The CLI output for Snyk IaC tests now displays not only the failed rules but also the successful rules, providing visibility into the comprehensive scan coverage and reassurance that configurations are correctly defined (for validation purposes).

pnpm CLI support in Early Access

We now support testing and monitoring of pnpm projects using the Snyk CLI. Customers wanting to try this Early Access feature can enable it using Snyk Preview. Details are available in user docs.

You can learn more about Snyk CLI release channels in user documentation.

We wanted to share an update on how users can interact with issue details from within the Vulnerabilities Detail report. To improve usability and consistency across the product, the nested table pattern previously used in this report has been replaced with a drawer. Clicking the vulnerability name in the report table will now activate a drawer with increased area to display details, pagination, and affected projects. Also within the drawer is an additional link to the Issue Details report, with included context, for deeper exploration.

We are pleased to announce that CLI support for pnpm is now available in Early Access 🎉

pnpm is a fast, efficient Node.js package manager, with excellent support for managing large monorepos. Managing security risks in pnpm projects is as vital as with any other tool, and we are excited to begin supporting it.

When the feature is enabled via Snyk Preview, you can scan pnpm projects with the Snyk CLI stable version v1.1293.0 and higher.

Here's a summary of what's supported, see the docs for more details…

• pnpm versions 7, 8 and 9

• snyk test and snyk monitor CLI commands

• pnpm catalogs

• pnpm workspaces, using the --all-projects CLI option

• Standard CLI options for Node.js projects, e.g. --dev for dev dependencies

Have fun! 🤗

We are happy to announce that the OAuth 2.0 authentication protocol will be enabled by default for the new release of CLI and IDE plugins.

What is OAuth 2.0?

OAuth2 is an open standard for enabling secure, controlled data access. This protocol relies on a pair of short-lived tokens with a built-in refresh mechanism instead of long-lived tokens. It's highly regarded across the industry.

This improvement will be included in the upcoming release of the CLI on Wednesday, August 28th, and the IDE plugins for Visual Studio Code, Jetbrains IDEs, Visual Studio, and Eclipse on Thursday, August 29th.

Things you should know about CLI authentication:

• Active users of the CLI will continue to be authenticated

• The 'snyk auth' command, when run locally, will use short-lived tokens to grant user access to Snyk CLI

• CI/CD use cases will continue as is for environment variable SNYK_TOKEN as well as snyk auth

• API keys and personal access tokens (PATs) experience remains unchanged

Things you should know about IDE plugin authentication:

• Active users will be prompted to re-authenticate upon the plugin's upgrade.

• There will be a temporary opportunity to return to the token-based authentication in plugin’s settings.

Troubleshooting

A new browser tab does not open automatically:

• Copy a provided URL to the clipboard

• Open a new browser tab manually and paste the URL

• Continue the authentication procedure

These changes will be reflected in Snyk's documentation over the next week.

OS Security policies can be configured to change the severity of matched vulnerabilities. (See Snyk documentation).

Till now, this change was not visible in IDE plugins.

With the new release, IDE plugins will show that "severity was changed to…" and mention the policy name that affected it.

This UI improvement is included in the upcoming release of plugins for Visual Studio Code, IntelliJ IDE, and Eclipse on Thursday, August 29th.

As part of ongoing efforts to make the Snyk Code engine faster, easier to use, and more accurate—we’re introducing an optimization that will improve analysis speed by 120%.

In addition to providing you faster feedback, we're also solving a longstanding precision issue that we know leads to false positives in production today. On average, you will see a 5% reduction in false positives for C++ and minor improvements to C#.

This change will be released on September 4th, 2024. Once released, no action is necessary—you'll begin to observe improvements in your tests going forward.

When viewing a “taint vulnerability” in Snyk Code, we provide a visualisation of the dataflow between the source and the sink. This helps you to get an understanding of the reported vulnerability, decide whether it a true positive and work on a fix.

In some cases, dataflow steps that are unnecessary for understanding the reported vulnerability can be added, which can make it harder to understand and mitigate the reported vulnerability.

Soon we will be rolling out an improvement which simplifies the dataflow view in the web app by showing only the steps necessary to understand taint flow vulnerabilities.

This UI improvement will become available to all Snyk Code users on Wednesday August 28th, and no other action is required.