Product Updates

On November 14th, Snyk will roll out a change that will broaden Snyk Open Source vulnerabilities granularity to support CVSS vectors assigned by NVD, to support additional compliance workflows.

Background on Snyk IDs and CVE IDs:

For each new vulnerability, Snyk assigns a unique Snyk Identifier (SNYK-ID) and CVSS vector (which translates to score and severity)

This allows Snyk:

• To publish new vulnerabilities faster, even before they have an officially assigned CVE ID.

• To represent the issue in a single, specific package, therefore providing highly accurate information. A CVE ID, on the other hand, represents the vulnerability as a whole security issue and can be associated with multiple affected packages.

A CVE ID, on the other hand, represents the vulnerability as a whole security issue and can be associated with multiple affected packages.

In rare cases, Snyk’s Security Analysts assign multiple CVE IDs to one SNYK-ID. This happens in cases where there is very high similarity or duplicates between multiple CVEs.

Details about the change:

Starting November 14th, cases with multiple CVEs and different NVD CVSS vectors will be separated into multiple advisories (multiple Snyk-IDs), one per CVE. These cases amount to less than 0.6% of Snyk’s vulnerabilities.

This will provide customers with increased vulnerability granularity and ensure compatibility with NVD-provided CVSS vectors.

Snyk’s hand-curated CVSS is recommended for accurate and timely analysis, while NVD CVSS is useful for compliance-based needs, like FedRAMP reports.

To create a report of the vulnerabilities with the NVD CVSS Score: Click on Reports → Modify Columns → and select NVD Severity and NVD Score.

Important notes:

• The number of issues you see might increase. This is due to the change in issue representation to consider NVD CVSS vectors as an independent issue factor.

• After this change, in the rare cases in which multiple CVE IDs are associated with one SNYK-ID, the NVD CVSS vector provided will be relevant for both CVE IDs. A retest, a manual test, or a scheduled scan for monitored Projects, is needed to see the changes.

• Although the overall number of issues (Snyk Open Source) might increase due to the broadening of the granularity to include NVD and CVSS vectors, these issues can be solved with the same fix.

• If a new advisory was created from an ignored issue, it will still appear in the Project. If not relevant, the new issue will need to be ignored as well. This is because the new advisory has a different NVD CVSS score, and Snyk cannot assume it is irrelevant to your Project.

• The Snyk CVSS will remain similar between the advisories.

• The related CVE, which the advisory was separated from, will be included in the advisory details.

Snyk has now made it easier to determine what issues have a fix available and what issues Snyk can potentially help you fix!

When you're analyzing the issues in your project, in addition to our existing fixability filter, we've now introduced a new feature that allows you to identify security issues with a known fix in general, irrespective of whether we can directly assist you.

This enhancement provides you with a comprehensive view of potential vulnerabilities and solutions, enabling you to make more informed decisions about your security posture while we are continously working in supporting more and more ecosystems and fixes.

Try our new "Fixed In" Available filter in the Projects Dashboard and be on top of your issues! You can read more about it here.

Over the next two weeks, we continue to enhance Snyk Code. As a result, we will be making the following improvements:

• Java: Adding equality sanitizers to support equality checks. Potential decrease in all issues

• Java, Kotlin, Scala: Adding support for Open Redirect URL sanitizers. Potential decrease in CWE-601 issues

If you have any questions, please reach out to your account teams.

Over the next two weeks, we continue to enhance Snyk Code. As a result, we will be making the following improvements in the next few weeks:

• PHP: Improving sanitizers by adding support for PHP8 Type declarations. Potential decrease in issues

• Python: Improving sanitizers. Potential decrease in issues

• VB.NET: Improving coverage for customer applications. Potential increase in issues

If you have any questions, please reach out to your account teams.

On Oct 23rd, we deployed an improvement that aligned our hardcoded secrets behavior for JavaScript and Java, causing an increase in CWE-547 (Hardcoded Secrets). Unfortunately the rule change made a larger impact than intended, resulting in reports of false positives. We have decided to roll back the deployment, and this will be pushed to production on Friday, Oct 27th.

Customers may have seen an increase in hardcoded secrets issues, specifically for CWE-547 in JavaScript and Java. Starting Monday, Oct 30th, the issues and any resulting false positives generated last week will be corrected.

If you have any questions, please reach out to your account teams.

We’re pleased to share that Snyk's SBOM Test APIs now support SPDX.

Software Package Data Exchange (SPDX) is part of The Linux Foundation® and described as "an open standard for communicating software bill of material information, including provenance, license, security, and other related information".

As a developer, you can now test SPDX 2.3 JSON documents for vulnerabilities. There is no need to specify this in your request, Snyk will automatically detect the SBOM format and test accordingly. This release adds to our existing support for CycloneDX — ensuring you can use both of the leading SBOM specifications.

As always, we’re excited to hear your feedback. Please reach out if you have any questions.

As a continued effort to help our users deliver secure code to production, we have decoupled Snyk Orb from the deprecated Snyk CLI Docker Images. Please note that these are breaking changes and require additional steps after an upgrade to Snyk Orb v2.0.0.

Your existing CircleCI setup will continue to function without interruption, as we are introducing these breaking changes following semantic release conventions. However, to benefit from future improvements to Snyk CLI, we strongly recommend that you upgrade Snyk Orb at your earliest convenience. A readme with code examples is here to help you get started.

Once upgraded, please make the following changes, which are breaking changes:

• remove the deprecated scan-iac job, an example of how it was used in previous versions <v2.0.0 is inline
  

  1description: >
  2  Use the Snyk orb inside a build job to scan a container image for known
  3  vulnerabilities
  4
  5usage:
  6  version: 2.1
  7
  8orbs:
  9    snyk: snyk/snyk@1.7.2
  10
  11  workflows:
  12    test:
  13      jobs:
  14        - snyk/scan-iac

• and, please switch to using snyk/scan instead, an example is inline
  

  1description: >
  2  Use the Snyk orb inside a build job to scan a container image for known
  3  vulnerabilities
  4
  5usage:
  6  version: 2.1
  7
  8  orbs:
  9    snyk: snyk/snyk@2.0.0
  10
  11  workflows:
  12    test:
  13      jobs:
  14        - snyk/scan:
  15            command: iac test

  To learn more about our CI/CD integrations, our product docs are here.

As a continued effort to help our users deliver secure code to production, we have decoupled Snyk Scan from the deprecated Snyk CLI Docker Images. Please note that these are breaking changes, and require additional steps after an upgrade to Snyk Scan v1.0.0.

Your existing Bitbucket setup will continue to function without interruption, as we are introducing these breaking changes following semantic release conventions. However, to benefit from future improvements to Snyk CLI, we strongly recommend that you upgrade Snyk Scan at your earliest convenience. A readme with code examples is here to help you get started.

Once upgraded, you are required to switch from using deprecated Snyk CLI base images to Snyk Images base images.

To do so, please

• update the LANGUAGE variable to use supported tags from Snyk Images,

• or, you can follow these instructions to build your own image.

To learn more about our CI/CD integrations, our product docs are here.

Starting October 26th, Snyk Code will begin the 3 month process of deprecating Python 2 language support. Further, we plan to End of Life (EOL) on January 23, 2024, where Python 2 support will be terminated. For context, Python 2 has been unsupported by Python.org since January 2020.

This means that no new development work and no new support tickets related to Python 2 will be processed. Existing Python 2 projects will continue to be scanned until EOL. After EOL, Python 2 findings will no longer appear in your results.

Note that support for Python 3 will not be affected and continue as usual.

If you are using Python 2, please reach out to your account teams.

We're pleased to share that scanning deployed Azure cloud environments is now GA for Snyk IaC customers on an enterprise plan. You can now secure your Azure infrastructure from code - with IaC template scanning for Azure Resource Manager(ARM) and Terraform - to the cloud.

Users can now:

• Onboard Azure subscriptions via API and UI, and scan and test Azure resources with our security rules

• Find and fix misconfigurations identified by Snyk in the org-wide Cloud issues UI, or in the REST API for issues

• View an inventory of Azure resources with the GET /cloud/resources endpoint

Please see our User Docs for more details, and contact your account team with any questions.