Product Updates

We are pleased to announce the latest stable releases for each supported IDE plugin:

• Visual Studio Code v2.18.1

• JetBrains v2.9.0

• Eclipse 2.0.2

• Visual Studio 1.1.63

  (only VS 2022)

As part of these releases, we are happy to conclude the work announced previously:

• OAuth 2.0 authentication

• Severity change annotations

In addition to big features, these releases contain multiple bug fixes and performance improvements:

• Significantly improved JetBrains performance by moving business logic from the UI thread to the separate one on the background

• Unified and Improved rendering of IAC findings in all VSC and JetBrains

Snyk documentation has been updated with How-to pages about authentication. For example, JetBrains authentication

We encourage everyone to upgrade to the newest versions.

We are pleased to announce the latest stable Snyk CLI release v1.1293.0.

We are introducing the following new features in this version. To learn more about bug fixes, please reference the release notes.

Introducing OAuth by default for standalone installation

OAuth support has been available since v.1.1267.0 and from v.1.1293.0 onwards, Snyk CLI will authenticate a local user via OAuth by default. This change strengthens security and access controls, and can be used in both local development as well as where the CLI is integrated directly into CI/CD pipelines. See user docs for more information.

Improved environment configuration

Introducing a new config subcommand, the experience is now easier and more consistent to configure the environment used in the CLI. By default, the Snyk CLI connects to https://api.snyk.io/ and for users using regional hosting or on premise instances, it’s as simple as calling snyk config environment . For more information and to understand how this reduces the impact of misconfiguration, see the docs here.

Support for license issues and improved error details in SBOM test

We now support returning license issues in addition to vulnerabilities when using sbom test. When scanning a CycloneDX or SPDX SBOM, Snyk will detect the license for each component in the SBOM and return issues according to the defined or default license policy for your organization. In addition, we’ve made improvements to CLI errors returned when SBOMs cannot be processed by Snyk.

Improved SBOM generation for Container application dependencies

We have improved the accuracy of SBOM generation for Snyk Container. When using snyk container sbom, Snyk scans and generates an SBOM for operating system dependencies as well as application dependencies in your image by default. Prior to this improvement, there were limitations in the underlying analysis causing application dependencies to be omitted under certain conditions.

Enrich CLI results for IaC+ with successful items

The CLI output for Snyk IaC tests now displays not only the failed rules but also the successful rules, providing visibility into the comprehensive scan coverage and reassurance that configurations are correctly defined (for validation purposes).

pnpm CLI support in Early Access

We now support testing and monitoring of pnpm projects using the Snyk CLI. Customers wanting to try this Early Access feature can enable it using Snyk Preview. Details are available in user docs.

You can learn more about Snyk CLI release channels in user documentation.

We wanted to share an update on how users can interact with issue details from within the Vulnerabilities Detail report. To improve usability and consistency across the product, the nested table pattern previously used in this report has been replaced with a drawer. Clicking the vulnerability name in the report table will now activate a drawer with increased area to display details, pagination, and affected projects. Also within the drawer is an additional link to the Issue Details report, with included context, for deeper exploration.

We are pleased to announce that CLI support for pnpm is now available in Early Access 🎉

pnpm is a fast, efficient Node.js package manager, with excellent support for managing large monorepos. Managing security risks in pnpm projects is as vital as with any other tool, and we are excited to begin supporting it.

When the feature is enabled via Snyk Preview, you can scan pnpm projects with the Snyk CLI stable version v1.1293.0 and higher.

Here's a summary of what's supported, see the docs for more details…

• pnpm versions 7, 8 and 9

• snyk test and snyk monitor CLI commands

• pnpm catalogs

• pnpm workspaces, using the --all-projects CLI option

• Standard CLI options for Node.js projects, e.g. --dev for dev dependencies

Have fun! 🤗

We are happy to announce that the OAuth 2.0 authentication protocol will be enabled by default for the new release of CLI and IDE plugins.

What is OAuth 2.0?

OAuth2 is an open standard for enabling secure, controlled data access. This protocol relies on a pair of short-lived tokens with a built-in refresh mechanism instead of long-lived tokens. It's highly regarded across the industry.

This improvement will be included in the upcoming release of the CLI on Wednesday, August 28th, and the IDE plugins for Visual Studio Code, Jetbrains IDEs, Visual Studio, and Eclipse on Thursday, August 29th.

Things you should know about CLI authentication:

• Active users of the CLI will continue to be authenticated

• The 'snyk auth' command, when run locally, will use short-lived tokens to grant user access to Snyk CLI

• CI/CD use cases will continue as is for environment variable SNYK_TOKEN as well as snyk auth

• API keys and personal access tokens (PATs) experience remains unchanged

Things you should know about IDE plugin authentication:

• Active users will be prompted to re-authenticate upon the plugin's upgrade.

• There will be a temporary opportunity to return to the token-based authentication in plugin’s settings.

Troubleshooting

A new browser tab does not open automatically:

• Copy a provided URL to the clipboard

• Open a new browser tab manually and paste the URL

• Continue the authentication procedure

These changes will be reflected in Snyk's documentation over the next week.

OS Security policies can be configured to change the severity of matched vulnerabilities. (See Snyk documentation).

Till now, this change was not visible in IDE plugins.

With the new release, IDE plugins will show that "severity was changed to…" and mention the policy name that affected it.

This UI improvement is included in the upcoming release of plugins for Visual Studio Code, IntelliJ IDE, and Eclipse on Thursday, August 29th.

As part of ongoing efforts to make the Snyk Code engine faster, easier to use, and more accurate—we’re introducing an optimization that will improve analysis speed by 120%.

In addition to providing you faster feedback, we're also solving a longstanding precision issue that we know leads to false positives in production today. On average, you will see a 5% reduction in false positives for C++ and minor improvements to C#.

This change will be released on September 4th, 2024. Once released, no action is necessary—you'll begin to observe improvements in your tests going forward.

When viewing a “taint vulnerability” in Snyk Code, we provide a visualisation of the dataflow between the source and the sink. This helps you to get an understanding of the reported vulnerability, decide whether it a true positive and work on a fix.

In some cases, dataflow steps that are unnecessary for understanding the reported vulnerability can be added, which can make it harder to understand and mitigate the reported vulnerability.

Soon we will be rolling out an improvement which simplifies the dataflow view in the web app by showing only the steps necessary to understand taint flow vulnerabilities.

This UI improvement will become available to all Snyk Code users on Wednesday August 28th, and no other action is required.

We are pleased to introduce the new Quick Filters feature in the Asset Inventory. This feature is designed to streamline your filtering experience and speed up workflows, helping you focus on what matters most.

What is this feature about?

With Quick Filters, users can now quickly narrow down their Asset Inventory using predefined filters, helping users identify the most critical assets and eliminating the need to manually set multiple criteria.

After selecting a Quick Filter, the filters are automatically populated with the relevant attributes and values. Users can then apply the filters directly or further customize them to meet their specific needs. For those who prefer a manual approach, the option to set filters manually, as before, remains available.

We are excited to announce the General Availability of Workspaces. Following a successful open beta announced previously, this enhancement significantly improves the accuracy and reliability of Snyk’s SCM integration results, especially for large-scale enterprise environments. This capability also supports additional functionality and improvements we have planned in the future.

To maximize the benefits of this feature and provide a consistent user experience, Snyk strongly recommends enabling Workspaces across all your Snyk Organizations. To facilitate this, over the coming days we will be incrementally rolling out the ability to manage Workspaces at both the Snyk Organization and Snyk Group level.

Going forwards, Workspaces will be enabled by default for all new Snyk Organizations. Existing Organizations will be gradually transitioned to this new approach in the coming weeks. To request a deferral from the default settings, please opt-out here by September 20th, 2024.

For detailed information on Workspaces and its security measures, more details can be found in the docs, including information on how Workspaces supports more reliable results, how Workspaces supports more accurate results, and safeguards Snyk puts in place to ensure data is secure.

If you have any questions or require further assistance, please contact Support, or your dedicated Snyk account representative.