Product Updates

Over the next two weeks, we continue to enhance Snyk Code. As a result, the following improvements will be implemented:

• Java: Improve support for Micronaut and adding support for "unsafe reflection" vulnerabilities. Potential increase in issues, and issues affecting CWE-470

• JavaScript: add support for FS/Promise Node.js APIs and sanitizer alignment. Potential increase in issues

• .NET (C#): Improved Type Sanitization. Potential decrease in issues

• Python: Improvements to sanitizers. Potential decrease in issues

• Ruby: Improved support for ActiveRecord. Potential increase in issues

• All Languages: Improvement for Path Traversal Sanitizers. Potential decrease in issues affecting CWE-22

If you have any questions, please reach out to your account teams.

We're pleased to announce a significant expansion of the Snyk Vulnerability Database's coverage of malicious packages.

Following our work to mitigate software supply chain attacks, we've added thousands of new malicious packages to the Snyk Vulnerability Database.

As a result, you may notice new Critical severity issues categorized as CWE-506 during your project scans if the newly added malicious packages are detected.

Malicious packages represent a rising threat in software supply chain attacks. We recommend visiting our user documentation to stay informed about this crucial security aspect. Here, you can learn more about what malicious packages are, how Snyk detects them, and the recommended actions to take when encountering malicious package issues in your projects.

We are excited to announce that on Thursday, September 28th, we will officially launch GA support for Kotlin and VB.NET, enabled for all customers. This milestone is a result of months of development, including feedback from 275 customers who conducted scans, significant enhancements driven by input received through customer calls and support tickets, the assessment of benchmark applications and open-source repositories, as well as a comprehensive review of industry and competitor research findings.

For customers with Kotlin or VB.NET code, please anticipate a potential increase in issues.

If you have any questions, please reach out to your account teams.

We're excited to share that Snyk now supports generating CycloneDX/SPDX SBOMs for images using the Snyk Container CLI.

Use the snyk container sbom --format=<cyclonedx1.4+json|cyclonedx1.4+xml|spdx2.3+json> <IMAGE> command to generate SBOM for your image.

This change is available in CLI version 1.1226.0.

To learn more, check out our user documentation. If you have any questions or feedback, please reach out to your account team.

Over the next two weeks, we continue to enhance Snyk Code. As a result, the following improvements will be implemented:

• C#, Java, Python: aligning issue severity across languages for consistency. Customers should expect similar or fewer issues

• Java: improving java sanitizers. Customers should expect similar or fewer issues

• Java/JSP: re-enabling processing of JSP taglib directives. Customers should expect potential increase in issues (released Wed, 9/27)

If you have any questions, please reach out to your account teams.

Snyk Code has been at the forefront of PHP static analysis since its launch 2 years ago.

In 2 weeks time we will roll out a new PHP analysis engine that is smarter. From our benchmarks, we expect a similar number of matches overall, but of much higher quality. This is due to three improvements:

• The new engine is capable of deeper analysis, and so doesn’t use approximations as often. This removes many false positive matches.

• Object-orientated code that makes use of classes, methods and properties is analysed much better, adding new correct matches.

• Interfile analysis is enabled, which detects vulnerabilities across multiple source files.

If you have any questions, please contact support or your account manager.

We are very pleased to announce that Snyk Open Source now supports scanning Pipenv projects via Git integrations!

With this update, you can now import your Pipenv projects into the Snyk web UI simply by connecting your existing Git repositories.

We'll do the hard work of discovering all the dependencies and reporting all related vulnerabilities and licenses.

To get started, head over to the docs or just re/import your repos and check out your shiny new Pipenv projects 🤗

We are excited to announce that on Wednesday, September 6th, we will officially launch GA support for Swift and Scala, enabled for all customers. This milestone follows substantial improvements driven by valuable feedback from customer support tickets, calls, and improvements through benchmark applications and open-source repositories.

For customers with Swift or Scala code, please anticipate a potential increase in issues.

If you have any questions, please reach out to your account teams.

We're excited to share that Snyk now supports testing CycloneDX SBOMs for vulnerabilities through a set of async APIs.

Right now this feature is in open beta and support is limited to the npm and Maven ecosystems. Support for additional ecosystems and SPDX are coming soon.

To learn more, check out the API docs and user docs. We look forward to hearing your feedback, so please don't hesitate to reach out to your account team.

The scheduled maintenance on Sunday, September 3rd from 14:30-15:30 UTC has been completed successfully. Snyk's US based instance is now available. More details about the maintenance can be found at status.snyk.io.