Product Updates

New data is now available in Snyk Reports!!

Exploitability probability

Leverage EPSS to achieve a more holistic risk assessment or prioritization calculations.

Supported columns:

• EPSS Score - The probability of exploitation in the wild in the next 30 days.

• EPSS Percentile - The proportion of all vulnerabilities with the same or lower EPSS score

Jira issues attachments

Obtain a new level of visibility of Snyk’s Jira integration (not including Snyk’s Jira App). Trace issues in priority that don't have a Jira issue assigned or use the Jira issue keys to surface related Snyk issues.

Supported columns:

• Has Jira Issue(s) Assigned - Displays truewhen at least one Jira issue is assigned, otherwise displays false.

• Latest Jira Issue - The latest attached Jira issue key with a link to the issue card in the project page.

• Jira Issues List - A list of all the attached Jira issue keys.

Learn more about:

• Setting up Jira integration within Snyk here

• What is EPSS here

• The available columns in Snyk Issues Detail Report here

Reach out to your account team for any questions.

We’re happy to announce the introduction of the latest version of CVSS - version 4.0.

Starting today, and in accordance with the latest official CVSS version published by FIRST.org, new vulnerabilities will be assigned with hand curated CVSS v4.0 vectors by Snyk’s team of Security Analysts.

All new advisories identified by Snyk Open Source will be provided with both CVSS v4.0 and CVSS v3.1 severity assessments. These new advisories, which will have a provided CVSS v4.0 vector and score, will determine the default severity of the issue, based on CVSS v4.0. The current severity of existing issues in your projects will not change.

In addition to basing the severity of new issues on CVSS v4.0, Snyk will gradually expose the new vector metrics in the various product workflows.

The new default evaluation using CVSS v4.0 will improve the prioritization workflow and risk assessment, enabling you to focus on the most emerging threats.

For more information about CVSS v4.0's specifications, please refer to the blog post: What’s new in CVSS 4.0.

Snyk Apps are a way to help you integrate Snyk into your workflows, platforms, and tools. As you install more Snyk Apps, you’ll need to be able to observe and manage them easily. You can find out a number of key pieces of information about your Apps through the API for your Snyk Apps including:

• Which Snyk Apps have been installed

• When it was installed

To improve security, you can also revoke Snyk Apps through the API to reduce the number of connections you have exposed. However, we’re aware that not everyone uses the API and that some management actions are more effective through the UI.

We’re pleased to announce that the next iteration in the Snyk Apps story is to bring all of these management capabilities to the Snyk UI.

If you want to read more about Snyk Apps and its new management UI, please visit the user documentation.

This is a follow-up to the previous announcement about Snyk Images containing obsolete software.

Obsolete Snyk Images listed here are being discontinued. Snyk customers must stop using them and build their own images following Snyk's documentation.

Snyk is no longer building a subset of Snyk Images: As of 10th June 2024, Snyk has stopped building obsolete images. These images contained software packages that are no longer supported by upstream vendors.

Snyk will not build, maintain, or deploy this subset of Snyk Images and they will be removed from Docker Hub on the 12th of August 2024.

Action required: Users of these images must replace them by 11th August 2024 to avoid disruption to their CI/CD workflows. This subset is no longer maintained and could be vulnerable to security risks.

Snyk recommends building custom images that meet your needs. Instructions are available here. Alternatively, you can use the latest version of base images listed here.

Snyk delivers a number of REST API improvements and changes regularly which can be incredibly beneficial. However, given the frequency of delivery, it can be difficult to keep track of these changes at a glance, which means that you might be missing out on key improvements or potentially breaking changes.

With this in mind, we’re pleased to announce that we have created and exposed a changelog for our API. This changelog will outline which REST endpoints have been affected, what the change was, and whether it’s breaking. You can also look at the changes per version of the API.

We are excited to announce the GA release of the Custom PR templates feature, bringing a stable and extensive solution for letting you customize the title, description and commit message for PRs being raised by Snyk.

The General Availability version delivers:

• You can customize the PR look either at the repo level (via a YAML file upload) or Group level (via an API call)

• You can customize PRs by type (Container PRs & OS PRs)

More details on the feature are available in our documentation.

We are excited to announce improvements to our Deserialization of Untrusted Data (CWE-502) rule where we now report on every usage of the BinaryFormatter library. This update specifically addresses the use of the BinaryFormatter class in serialization processes in C# and VB.NET applications.

The rule triggers a warning message: "The BinaryFormatter class was found to be in use. As per Microsoft recommendations, BinaryFormatter serialization is obsolete and should not be used". This is aligned with Microsoft's guidelines advocating for the discontinuation of obsolete serialization methods due to security risks.

This rule has been updated within the Snyk Code scanning processes and is available for immediate use. Customers may notice a modest increase in identified issues related to this rule when conducting new scans.

Thank you for choosing Snyk Code to enhance the security and integrity of your software development. We are committed to continuously improving our tools to help you keep your code safe and efficient.

We're pleased to share that Snyk AppRisk will allow customers to bring ServiceNow CMDB data into AppRisk as their application context information. You can now see the repo assets in AppRisk with the data from ServiceNow CMDB; this will make it easy for your AppSec team to manage their repo assets in AppRisk.

What is this feature about?

Enable customers to add ServiceNow CMDB, allow the customer to bring their application context into AppRisk. Enrich repo assets with metadata from ServiceNow CMDB. This will help users manage their assets and create policies for their assets using CMDB metadata.

This feature will be available for Snyk AppRisk Essentials and Snyk AppRisk Pro, which will enrich your repository assets.

Please see our User Docs for more details, and contact your account team with any questions.

We would like to share a deprecation plan for obsolete Snyk Images with our customers.

Snyk Images are published by Snyk covering a range of different software versions and operating systems in common usage. These images can be pulled from Docker Hub snyk/snyk.

We have identified a list of Snyk Images which are built on software packages that are no longer supported by their upstream vendors. To ensure our customers stay secure, we will stop building images based on unsupported software, followed by a removal of these images from Docker Hub.

Here are the steps that we will take in the next four months:

• Stop building Snyk Images that are listed here on the 10th of June 2024

• Remove them from Docker Hub on the 12th of August 2024

Snyk strongly recommends customers to check this list and to stop using listed images as they pose security risks. To transition away from these images, please follow the steps outlined here.

Snyk will be removing obsolete Snyk Images from Docker Hub on the 12th of August 2024. Customers who continue using Snyk Images that Snyk does not recommend will observe broken build pipelines or disruption to their integrated workflows after the 11th of August 2024.

For more information, please reach out to your account manager, or our support team.

We would like to inform Snyk customers that Snyk CLI Images will be removed from Docker Hub on the 12th of August 2024. We advise customers to transition away from these images as a matter of urgency.

Snyk CLI Images are docker images that bundle CLI binaries along with commonly used software versions and operating systems. In 2022, Snyk shared a deprecation notice on Docker Hub recommending customers to not use them. In October 2023, we also announced the decoupling of Snyk Orb, and Snyk Scan from Snyk CLI Images.

Since these changes, Snyk strongly recommends that customers stop using these images for the following reasons: These images contain software packages which are no longer supported by their upstream vendors Unsupported packages pose security risks Snyk stopped maintaining these images in October 2023

Snyk will be removing these deprecated images from Docker Hub on the 12th of August 2024. Customers who continue using Snyk CLI Images after 11th of August 2024 will observe broken build pipelines or disruption to their integrated workflows. To transition away from these images, please follow product documentation here to build your own custom images.

For more information, please reach out to your account manager, or our support team.