Product Updates

We would like to notify on an improvement related to the issues' Mean Time To Resolve (MTTR) measurements.

With the current implementation, issue resolutions of under a day are not being counted correctly during MTTR measurements, which leads to a slightly lower MTTR. The planned release will solve it and provide a more accurate MTTR results.

Once the improved logic is released you should expect seeing higher MTTR measurements, which will reflect a more accurate result.

We plan to release this improvement during the week of July 8th. Please reach out to your account team for any questions.

[Hot fix update 27-June-24]

We identified an issue that caused snyk test and snyk monitorto fail for some users. To address this problem, we have released a hot fix, version 1.1292.1. Incident causing this hot fix was announced here.

We would like to remind our users that hot fix will be deployed automatically for those who are subscribed to our stable release channel. You can also upgrade directly to the latest version containing this hot fix by following our user documentation.

[Original announcement 26-June-24]

We are pleased to announce the latest stable Snyk CLI release v1.1292.0.

We are introducing the following new features in this version. To learn more about the bug fixes, please reference the release notes.

• Improved security prioritization with CVSS version 4.0

Starting 18-June-2024, and in accordance with the latest official CVSS version published by First.org, new vulnerabilities will be assigned with hand curated CVSS v4.0 vectors by Snyk’s team of Security Analysts. You can read more about this in this blog post.

CVSSv4.0 will be available in previously released CLI versions too. It is an additive change.

• Improved .NET scanning for Snyk Open Source: Early Access

The new scanning approach leverages closer integration with the internal workings of the .NET ecosystem, and works with the Snyk CLI and SCM integrations. You can learn more about this change in user documentation.

• Support for --target-reference in Snyk Container CLI

Snyk Container now supports the --target-reference CLI option, allowing you to specify a reference to differentiate this project from other monitored projects. This helps with monitoring different states of a project within a target, for example: branches, releases, or deployments.

When used, --target-reference option will create sub-groupings on the Projects page in Snyk's web UI.

You can learn more about Snyk CLI release channels in user documentation.

As part of our continual improvements at Snyk we are releasing new GA REST API endpoints to replace v1 API endpoints as well as beta and/or experimental REST API endpoints (collectively referred to as “Sunsetting Endpoints”). This helps us maintain the performance, stability, and security of the Snyk platform for all customers.

Last year, we performed a major end-of-life for the v1 List All Project endpoint and following feedback and learnings from the initiative, we are pleased to announce that we are rolling out an API end-of-life process for our v1 endpoints and non-GA REST endpoints. The process aims to provide you with improved predictability, efficiency, and reliability when Snyk is in a position to sunset v1 and non-GA REST endpoints.

v1 and non-GA REST endpoints will be sunsetted across two cadences per year; in January and July (with communication one month prior on which endpoints will be included in an end-of-life cadence).

The timelines for how long migrations last for (based on whether it's a v1 or non-GA REST endpoint) can be found in the user documentation, along with the endpoint migration guides, key milestones and dates, and expectations you should have around future API migrations.

The first API end-of-life cadence will begin on July 22nd 2024:

Deprecated API endpoints

• v1 Group and Org audit logs endpoints

• Experimental Get all Issues by Org and Get all Issues by Group endpoints

GA REST endpoint(s) replacement(s)

• GA REST Group and Org level audit log endpoints

• GA REST Issues API

You can read more about the endpoints in this end-of-life cadence in the user documentation.

We are happy to announce that DeepCode AI Fix is now available in all tenant regions including EU and AU.

To enable DeepCode AI Fix in your Organization or Group, please go to Settings -> Snyk Preview -> Turn on 'Snyk Code Fix Suggestions' and start seamlessly fixing Snyk Code issues in your IDEs.

To make sure we enable as many developers as we can, DeepCode AI Fix is now available in all JetBrains IDEs including IntelliJ. You will require the Snyk JetBrains plugin version v2.8.0 or newer to start fixing.

For more information please visit our documentation. If you have any questions or feedback please reach out to your account team.

New data is now available in Snyk Reports!!

Exploitability probability

Leverage EPSS to achieve a more holistic risk assessment or prioritization calculations.

Supported columns:

• EPSS Score - The probability of exploitation in the wild in the next 30 days.

• EPSS Percentile - The proportion of all vulnerabilities with the same or lower EPSS score

Jira issues attachments

Obtain a new level of visibility of Snyk’s Jira integration (not including Snyk’s Jira App). Trace issues in priority that don't have a Jira issue assigned or use the Jira issue keys to surface related Snyk issues.

Supported columns:

• Has Jira Issue(s) Assigned - Displays truewhen at least one Jira issue is assigned, otherwise displays false.

• Latest Jira Issue - The latest attached Jira issue key with a link to the issue card in the project page.

• Jira Issues List - A list of all the attached Jira issue keys.

Learn more about:

• Setting up Jira integration within Snyk here

• What is EPSS here

• The available columns in Snyk Issues Detail Report here

Reach out to your account team for any questions.

We’re happy to announce the introduction of the latest version of CVSS - version 4.0.

Starting today, and in accordance with the latest official CVSS version published by FIRST.org, new vulnerabilities will be assigned with hand curated CVSS v4.0 vectors by Snyk’s team of Security Analysts.

All new advisories identified by Snyk Open Source will be provided with both CVSS v4.0 and CVSS v3.1 severity assessments. These new advisories, which will have a provided CVSS v4.0 vector and score, will determine the default severity of the issue, based on CVSS v4.0. The current severity of existing issues in your projects will not change.

In addition to basing the severity of new issues on CVSS v4.0, Snyk will gradually expose the new vector metrics in the various product workflows.

The new default evaluation using CVSS v4.0 will improve the prioritization workflow and risk assessment, enabling you to focus on the most emerging threats.

For more information about CVSS v4.0's specifications, please refer to the blog post: What’s new in CVSS 4.0.

Snyk Apps are a way to help you integrate Snyk into your workflows, platforms, and tools. As you install more Snyk Apps, you’ll need to be able to observe and manage them easily. You can find out a number of key pieces of information about your Apps through the API for your Snyk Apps including:

• Which Snyk Apps have been installed

• When it was installed

To improve security, you can also revoke Snyk Apps through the API to reduce the number of connections you have exposed. However, we’re aware that not everyone uses the API and that some management actions are more effective through the UI.

We’re pleased to announce that the next iteration in the Snyk Apps story is to bring all of these management capabilities to the Snyk UI.

If you want to read more about Snyk Apps and its new management UI, please visit the user documentation.

This is a follow-up to the previous announcement about Snyk Images containing obsolete software.

Obsolete Snyk Images listed here are being discontinued. Snyk customers must stop using them and build their own images following Snyk's documentation.

Snyk is no longer building a subset of Snyk Images: As of 10th June 2024, Snyk has stopped building obsolete images. These images contained software packages that are no longer supported by upstream vendors.

Snyk will not build, maintain, or deploy this subset of Snyk Images and they will be removed from Docker Hub on the 12th of August 2024.

Action required: Users of these images must replace them by 11th August 2024 to avoid disruption to their CI/CD workflows. This subset is no longer maintained and could be vulnerable to security risks.

Snyk recommends building custom images that meet your needs. Instructions are available here. Alternatively, you can use the latest version of base images listed here.

Snyk delivers a number of REST API improvements and changes regularly which can be incredibly beneficial. However, given the frequency of delivery, it can be difficult to keep track of these changes at a glance, which means that you might be missing out on key improvements or potentially breaking changes.

With this in mind, we’re pleased to announce that we have created and exposed a changelog for our API. This changelog will outline which REST endpoints have been affected, what the change was, and whether it’s breaking. You can also look at the changes per version of the API.

We are excited to announce the GA release of the Custom PR templates feature, bringing a stable and extensive solution for letting you customize the title, description and commit message for PRs being raised by Snyk.

The General Availability version delivers:

• You can customize the PR look either at the repo level (via a YAML file upload) or Group level (via an API call)

• You can customize PRs by type (Container PRs & OS PRs)

More details on the feature are available in our documentation.