Product Updates

We are thrilled to update that the asset and application attributes are now available in Snyk Reports!

Please find below the list of new columns and filters that were added:

• Asset context

  • Asset name (and ID)

  • Parent Asset name (and ID)

  • Asset class

  • Asset type

  • Asset tags

  • Repository freshness

• Application context (learn about related integrations here):

  • Asset Application

  • Asset Owner

  • Asset Category

  • Asset Catalog Name

  • Asset Lifecycle

These enhancements unlock a wide range of new use-cases, such as:

• Enhance data-driven prioritization based on the asset business criticality and repository freshness.

• Drill into remediation performance (such as backlog burn down rate and MTTR) within specific applications and code owners.

• Identify prevalent CVEs in business critical assets or strategic applications.

For any questions, please contact your account team.

As part of our ongoing commitment to improving and making Snyk Code findings more accurate and relevant, we're improving our Anti-Forgery Token Validation detection for C#, particularly in cases where .NET MVC is used.

This updates changes the logic to only be triggered in specific instances where .NET MVC usage is detected, a change from the previous "blacklist" approach.

Supported classes include: System.Web.Mvc.Controller, System.Web.Mvc.ControllerBase, Microsoft.AspNetCore.Mvc.Controller, Microsoft.AspNetCore.Mvc.ControllerBase.

This update will be released Wednesday, January 15th. Customers should see a decrease in False-Positive results pertaining to the rule mentioned above.

Please do not hesitate to reach out to your account team with any questions or inquiries!

We are happy to introduce the Assets dataset to Snowflake Data Share via Snyk Analytics!

The Assets dataset, includes various attributes of code repositories, container images and packages. In addition, the Asset ID column will be added to the Issues__v_1_0 table, allowing to correlate issues to their assets.

The new dataset unlocks new use-cases, such as:

• Build your own coverage metrics and asset-based visualizations in reports and dashboards.

• Review risk exposure within business-critical assets, code owners, and strategic applications.

• Improve prioritization by considering the repository freshness, asset class and application.

The new dataset will be available in the Snowflake data share starting January, 8th.

If you have a Snowflake account and want to discover what you can achieve with the Snowflake data share, visit our product documentation and contact your account team to learn more.

We are pleased to announce version 4.0.0 of the Snyk Artifactory Gatekeeper Plugin 🎉

This update adds support for more repository types, newer versions of Artifactory and some new options for handling vulnerable packages.

• Support for Artifactory version 7.84 and above.

• Support for Ruby Gems, Cocoapods, and NuGet repositories

• A new “continuous” mode - access to packages can be revoked if a new vulnerability is discovered for a previously allowed package.

For more details, see the documentation.

From January 7th 2025, Snyk's improved Gradle scanner (available in Snyk Preview) will support type-safe project accessors in both Groovy and Kotlin.

Existing users of the new scanner should see the improved results in the next re-scan of their projects. Or, to start using the new scanner, see the documentation.

What are type-safe project accessors?

Gradle type-safe project accessors allow project references to be statically checked for correctness. Incorrectly specified project references trigger compilation errors, helping you catch build problems earlier.

Type-safe project accessors are an incubating Gradle feature, and can be enabled by adding the TYPESAFE_PROJECT_ACCESSORS feature preview to your settings file. For example:

// settings.gradle.kts
enableFeaturePreview("TYPESAFE_PROJECT_ACCESSORS")

Once enabled, you can reference a project ":commons:utils:some:lib" as projects.commons.utils.some.lib.

We’re excited to announce various improvements that will be made to Cross-site Request Forgery findings in Javascript, to be released on January 15th, 2025! This update will improve overall accuracy for the rule and expand our support for several common mitigation libraries.

Changes include:

• New support for express-csrf-protect library

• Improved support for lusca, csrf-csrf, and csurf libraries

• Improved: findings will now only be raised in cases where basic auth or cookie usage is detected

• New support for detection as part of PUT, DELETE, and PATCH HTTP methods

• New support for cases where an Express middleware (used to protect against Cross-site Request Forgery issues) is setup in a separate file

Customers with Javascript projects which have Cross-site Request Forgery findings should expect to see a decrease in False-Positive findings.

Please don't hesitate to reach out to your account teams with any inquiries!

We are happy to share that the asset and application context will be soon supported in Snyk Reports!

The following columns and filters will be added in the main reports in both the Org and Group levels:

• Asset context

  • Asset name (and ID)

  • Parent Asset name (and ID)

  • Asset class

  • Asset type

  • Asset tags

  • Repository freshness

• Application context (learn more about populating this data here):

  • Asset Application

  • Asset Owner

  • Asset Category

  • Asset Catalog Name

  • Asset Lifecycle

These enhancements unlock a wide range of new use-cases, such as:

• Enhance data-driven prioritization based on the asset business criticality and repository freshness.

• Drill into remediation performance (such as backlog burn down rate and MTTR) within specific applications and code owners.

• Identify prevalent CVEs in business critical assets or strategic applications.

The mentioned columns and filters will be available in Snyk Reports starting January, 8th.

For any question, please contact your account team.

In July, we kicked off the first official cadence of Snyk’s API end-of-life and set out to end-of-life the following endpoints:

• The experimental “Get all issues by Org and Group” REST endpoints (Experimental versions from 2023-03-10 inclusive up to 2023-09-29 exclusive)

• The v1 Get Group and Org level audit logs endpoints

We’re pleased to say that we have successfully end-of-life’d the experimental endpoint (and its respective version), and the v1 audit logs endpoints will be end-of-life’d on January 22nd.

For the next scheduled end-of-life cycle that is due to start on January 23rd 2025, there will be no endpoints slated for end-of-life. The next batch of APIs will be announced in June 2025.

However, we have just released a page in the user docs which is dedicated to v1, non-GA REST endpoints, and old GA REST endpoints that have GA REST equivalents that can be migrated to, and a migration guide to go with them.

The endpoints found in this page are candidates for future end-of-lifes but does not mean that they are included in an existing cadence or are guaranteed to be part of the next cadence. The purpose of this section is to enable you to be proactive and start migrating endpoints that align with our end-of-life process, ahead of an end-of-life announcement.

We are announcing the availability of the GitHub Server App in Early Access. This app is designed specifically for organizations using self-hosted or private cloud deployments of GitHub Enterprise Server, offering a secure and simplified integration with Snyk as an alternative to the existing integration with personal access tokens (PATs).

With features like Role-Based Access Control (RBAC) and granular repository-level permissions, you can manage access efficiently, ensuring your users only see the data they need. These benefits not only simplify policy management but also align with modern security practices, eliminating the need for managing individual accounts. The app is also compatible with the newly introduced Universal Broker. You can access the app directly through the integration page. Please check out the user docs for more details! 🚀

We have responded to customer requests and are pleased to announce that we have open sourced Universal-broker-helm and Broker-config. Snyk Universal-broker-helm and Broker-config are essential for deploying and configuring the Universal Broker Client. Since they are executed by customers within their environment, there is often security concerns to know what the software actually does.

Open sourcing these tools not only empowers customers and fosters a collaborative ecosystem, it also increases transparency and security awareness for customers.

If you have any questions or comments, please reach out to Snyk support.