Product Updates

We are excited to announce improvements to our Deserialization of Untrusted Data (CWE-502) rule where we now report on every usage of the BinaryFormatter library. This update specifically addresses the use of the BinaryFormatter class in serialization processes in C# and VB.NET applications.

The rule triggers a warning message: "The BinaryFormatter class was found to be in use. As per Microsoft recommendations, BinaryFormatter serialization is obsolete and should not be used". This is aligned with Microsoft's guidelines advocating for the discontinuation of obsolete serialization methods due to security risks.

This rule has been updated within the Snyk Code scanning processes and is available for immediate use. Customers may notice a modest increase in identified issues related to this rule when conducting new scans.

Thank you for choosing Snyk Code to enhance the security and integrity of your software development. We are committed to continuously improving our tools to help you keep your code safe and efficient.

We're pleased to share that Snyk AppRisk will allow customers to bring ServiceNow CMDB data into AppRisk as their application context information. You can now see the repo assets in AppRisk with the data from ServiceNow CMDB; this will make it easy for your AppSec team to manage their repo assets in AppRisk.

What is this feature about?

Enable customers to add ServiceNow CMDB, allow the customer to bring their application context into AppRisk. Enrich repo assets with metadata from ServiceNow CMDB. This will help users manage their assets and create policies for their assets using CMDB metadata.

This feature will be available for Snyk AppRisk Essentials and Snyk AppRisk Pro, which will enrich your repository assets.

Please see our User Docs for more details, and contact your account team with any questions.

We would like to share a deprecation plan for obsolete Snyk Images with our customers.

Snyk Images are published by Snyk covering a range of different software versions and operating systems in common usage. These images can be pulled from Docker Hub snyk/snyk.

We have identified a list of Snyk Images which are built on software packages that are no longer supported by their upstream vendors. To ensure our customers stay secure, we will stop building images based on unsupported software, followed by a removal of these images from Docker Hub.

Here are the steps that we will take in the next four months:

• Stop building Snyk Images that are listed here on the 10th of June 2024

• Remove them from Docker Hub on the 12th of August 2024

Snyk strongly recommends customers to check this list and to stop using listed images as they pose security risks. To transition away from these images, please follow the steps outlined here.

Snyk will be removing obsolete Snyk Images from Docker Hub on the 12th of August 2024. Customers who continue using Snyk Images that Snyk does not recommend will observe broken build pipelines or disruption to their integrated workflows after the 11th of August 2024.

For more information, please reach out to your account manager, or our support team.

We would like to inform Snyk customers that Snyk CLI Images will be removed from Docker Hub on the 12th of August 2024. We advise customers to transition away from these images as a matter of urgency.

Snyk CLI Images are docker images that bundle CLI binaries along with commonly used software versions and operating systems. In 2022, Snyk shared a deprecation notice on Docker Hub recommending customers to not use them. In October 2023, we also announced the decoupling of Snyk Orb, and Snyk Scan from Snyk CLI Images.

Since these changes, Snyk strongly recommends that customers stop using these images for the following reasons: These images contain software packages which are no longer supported by their upstream vendors Unsupported packages pose security risks Snyk stopped maintaining these images in October 2023

Snyk will be removing these deprecated images from Docker Hub on the 12th of August 2024. Customers who continue using Snyk CLI Images after 11th of August 2024 will observe broken build pipelines or disruption to their integrated workflows. To transition away from these images, please follow product documentation here to build your own custom images.

For more information, please reach out to your account manager, or our support team.

After previewing the experience for over a year we are pleased to announce the General Availability of our new and improved Import Logs page.

Along with this general availability, we are introducing further benefits to the Import Logs, including:

1. Historical information on what was imported into your Snyk Organization

2. Rich error information for several ecosystems – including Go, npm, .Net, Maven, and PIP – supporting troubleshooting and remediation when an import fails

This is being rolled out incrementally and will show up in your Snyk Org over the coming several days.

For more information, see the docs.

We are thrilled to announce the addition of two new insightful reports to our growing list of reporting features: the SLA Management report and the Featured Zero-Day report.

Here's a quick overview of what you can expect from each:

• SLA Management Report

  1. Monitor SLA compliance across orgs based on your own SLA policy

  2. Identify issues that will soon breach the SLA policy

  3. Prioritize issues based on SLA considerations

• Featured Zero-Day Report

  1. Analyze the exposure to issues reported in a Zero-Day publication

  2. Prioritize issues of a specific Zero-Day publication

  3. Track the Zero-Day vulnerability eradication progress

These additions complement our existing suite of reports, further empowering AppSec practitioners and R&D leaders to make informed decisions, govern the AppSec program and improve the enterprise posture health.

To learn more about each report visit our product documentation.

As adoption of LLM platforms like OpenAI and Gemini grows, so does the security risk associated with using them. We’ve added LLM sources to our ruleset which means the taint vulnerabilities supported by Snyk Code will now report when untrusted data from an LLM reaches a sensitive function. This greatly expands our coverage in the fast growing AI domain across all of our supported languages.

We are committed to enabling our customers to securely leverage cutting edge AI tools and libraries. Our analysts will continue to research this topic in detail, and we will periodically publish this research in our blog. You can read the latest post on code injection vulnerabilities in Python caused by Generative AI.

If you have any questions, or want a detailed list of LLM libraries added, please reach out to your account teams.

We're thrilled to announce that Snyk AppRisk Pro is now available. Snyk AppRisk Pro expands on Snyk AppRisk’s core capabilities of application discovery & visibility, security coverage management, and risk-based prioritization with the following new capabilities:

• Application Analytics - a new data analytics capability offering AppSec teams a comprehensive overview of their AppSec program at a macro level, facilitating tracking, measurement, and reporting on program performance and risk KPIs.

• Extended security coverage visibility - new integrations with Nightfall AI and GitGuardian extend visibility of Snyk AppRisk to secret detection tools for managing security coverage on your repositories.

• Risk based prioritization with runtime intelligence - integrations with leading security and observability solutions, as well as a new, eBPF-based Snyk runtime sensor, provide runtime context to enable security teams to prioritize what to fix first and to assess any gaps in Snyk Container coverage vs. running containers. These runtime data sources are in a closed beta.

To learn more, please reference our product documentation and reach out to your account team with any questions.

We've made some great new improvements to our existing GA REST audit log API to help you filter and find the logs you need more efficiently:

1. Filter over time - Previously, users faced challenges filtering audit logs due to the smallest unit being within a day. This difficulty escalates for users who may need to sift through millions of logs to find specific events. Now, by expanding filtering options to larger time periods and reducing the minimum granularity to 1-second ranges, customers can broaden their search while pinpointing crucial audit events like security breaches or for external audits.

2. Exclude events - some users can have millions of audit logs being produced every day so they need the ability to exclude certain events to reduce the noise of what they have to sieve through. We already have exclude events in the API today but you can only provide 1 include or exclude event, so we’ve improved this by providing multiple include and exclude events.

For more information, check out the API documentation, and we hope you update your version and enjoy these new improvements soon!

In addition, we are making api.access endpoint to be opt-in for users rather than automatically returning results due to feedback that api.access causes noise problems. We’re actively working towards a proper audit event for actions.

We are pleased to introduce Semantic Versioning and Release Channels to Snyk CLI from v.1.1291.0 onwards. These changes will allow all Snyk customers to select a sustainable release cadence that works for them, and help optimize governance and compliance overhead for enterprise customers.

Snyk CLI v.1.1291.0 follows three part MAJOR.MINOR.PATCH notation going forward, details for which are available in product documentation.

We are introducing the following release channels:

preview “pre-release” builds are deployed regularly up to multiple times a day and contain the latest changes.

• Version Pattern: v{MAJOR}.{MINOR}.{PATCH}-preview

• Cadence: Varying

• Availability:

  • https://static.snyk.io/cli/preview/

  • https://static.snyk.io/fips/cli/preview/

rc “release candidate” pre-releases are deployed at distinct points in time and contain a version of the CLI that is expected to be promoted to stable after additional testing

• Version Pattern: v{MAJOR}.{MINOR}.{PATCH}-rc

• Cadence: every 8 weeks, 2 weeks before a stable release (hotfix releases possible)

• Availability:

  • https://static.snyk.io/cli/rc/

  • https://static.snyk.io/fips/cli/rc/

stable stable builds are deployed at distinct points in time after being additionally tested and considered stable.

• Version Pattern: v{MAJOR}.{MINOR}.{PATCH}

• Cadence: every 8 weeks, end of an even month (hotfix releases possible)

• Availability:

  • https://github.com/snyk/cli/releases/

  • https://static.snyk.io/cli/stable/

  • https://static.snyk.io/fips/cli/stable/

  • npm

  • brew

  • scoop

  • Snyk-images

Existing Snyk CLI, and supported IDEs users are opted into the stable channel by default. You can find more information on how to opt into a release channel of your choice in our product documentation.