Product Updates

We're thrilled to share that our SBOM Test APIs now support a wider range of Open Source languages and ecosystems! Now you can test CycloneDX SBOM documents for vulnerabilities across the following purl types: cargo, cocoapods, composer, gem, golang, hex, maven, npm, nuget, pypi, swift, or generic for unmanaged C/C++.

We hope this milestone helps you adopt SBOMs within your developer workflows and expand testing coverage for a greater number of assets.

Please see our User Docs for more information and reach out if you have any questions.

We are pleased to announce that – going forward as of version 1.1230.0 – Snyk CLI natively supports Apple silicon. You are no longer required to manually install Apple’s Rosetta 2 before installing Snyk CLI.

For our Apple silicon users this means, whether you are installing directly – via any of our supported installation methods – or via an IDE plugin, the correct and latest Apple silicon build will be selected and installed on the system automatically.

With this improvement, our Apple silicon users will be able to

• experience a simplified Snyk CLI installation,

• and secure code without compromising on productivity, performance, or their compliance needs.

To get started with Snyk CLI, or for more information, please read the docs.

We are excited to announce the Beta release of the new Issues API REST endpoints, which unifies all Snyk issues (SCA, SAST, Cloud) across projects or orgs into one API call. The Unified Issues API approach offers several key benefits:

• Simplifies the user experience with one paginated API call across all projects or orgs

• Saves time by eliminating the need to stitch data across various calls and offering a consistent schema to parse responses with

• Highlights our commitment to building Snyk as a holistic security platform

The Beta version builds on the Experimental versions with the following new features:

• Stable UUIDs which will not change with releases of future versions thus minimizing breaking changes going forward

• New Risk Score and Factors allowing for assessing risk using broader issue, application and business context

• Increased performance profile with faster response times

Please check out the API docs for listing all issues by group, and by org.

Following the incident last Friday, October 6th, we’re temporarily rolling back PHP Interfile starting today as part of our mitigation strategy. For customers with PHP code, you may see a decreased number of results.

We recognize the importance of PHP Interfile and are actively working towards a solution.

We don’t have a confirmed timeline yet, but will provide updates once the situation stabilizes.

Please reach out with any questions.

We recently announced a plan to sunset the v1 List all projects API (from June 22nd 2023, with an end-of-life on December 22nd 2023) in favor of the REST List All Projects for an org API.

Starting from October, we will be scheduling brownouts where we will be periodically removing this endpoint for a scheduled period of time. Here is the schedule:

• October 23rd for 1 hour starting at 12:00 UTC

• November 16th for 2 hours starting at 06:00 UTC

• December 6th for 4 hours starting 17:00 UTC

During these time windows, the API will return 410 Gone for all requests. If you require further support during this period, please raise a support ticket.

Please refer to this guide to move all your automations over to replacement endpoints. If you require further support during this period, please raise a support ticket.

curl is a popular command-line tool for transferring data using various network protocols. curl is used almost ubiquitously, and shipped with almost all Linux distributions.

The curl maintainer announced recently that on Oct 11, 2023, at around 6:00 UTC, a new version 8.4.0 of curl and libcurl will be released, to address a High severity vulnerability, which is assigned to CVE-2023-38545.

In the maintainer’s own words:

This is probably the worst security problem found in curl in a long time.

Please be advised to follow updates and upgrade to the latest version once available.

While not all security data is currently available, and the exact impact of this issue is still to be determined, Snyk Security Team is monitoring for updates, will update the curl security advisory accordingly, and will share more information in the following blog post: High severity vulnerability found in libcurl and curl.

We're pleased to share that the Snyk SBOM CLI Extension now supports additional options for working with Maven, npm, Gradle, Python, Yarn, and NuGet projects.

These will help you produce a more accurate CycloneDX or SPDX SBOM based on your project's configuration. These options are available in CLI version 1.1228.0 and beyond.

Please see our User Docs for more details.

Today, Snyk is pleased to announce open beta availability of Git repository cloning – a new, and more scalable way for Snyk to provide code security and code quality improvements via SCM integrations – helping you develop fast and stay secure.

The open beta is rolling out to all customers, and across all of Snyk’s deployments in the coming days, and will be available – via Snyk Preview – for all SCM integrations (GitHub, GitHub Enterprise, GitLab, Bitbucket Server, Bitbucket Cloud App, Bitbucket Cloud (Legacy), and Azure Repos), and SCM “flows” (import, PR checks, recurring tests).

When enabled by a Snyk Organization administrator, these flows will be backed by a temporary and shallow Git clone of repository contents, helping Snyk perform its security analyses more reliably and more accurately. This capability has particular benefit for customers using SCM integrations at scale, as it protects against a breach of SCM API rate- and content- limits, and improves Snyk’s analysis of very large repos (sometimes referred to as “monorepos”), by surfacing previously unreachable contents.

Be on the lookout for this new capability, scheduled to land in your Snyk Organization in the coming days.

Meanwhile, you can read more in the docs.

Over the next two weeks, we continue to enhance Snyk Code. As a result, the following improvements will be implemented:

• Java: Improve support for Micronaut and adding support for "unsafe reflection" vulnerabilities. Potential increase in issues, and issues affecting CWE-470

• JavaScript: add support for FS/Promise Node.js APIs and sanitizer alignment. Potential increase in issues

• .NET (C#): Improved Type Sanitization. Potential decrease in issues

• Python: Improvements to sanitizers. Potential decrease in issues

• Ruby: Improved support for ActiveRecord. Potential increase in issues

• All Languages: Improvement for Path Traversal Sanitizers. Potential decrease in issues affecting CWE-22

If you have any questions, please reach out to your account teams.

We're pleased to announce a significant expansion of the Snyk Vulnerability Database's coverage of malicious packages.

Following our work to mitigate software supply chain attacks, we've added thousands of new malicious packages to the Snyk Vulnerability Database.

As a result, you may notice new Critical severity issues categorized as CWE-506 during your project scans if the newly added malicious packages are detected.

Malicious packages represent a rising threat in software supply chain attacks. We recommend visiting our user documentation to stay informed about this crucial security aspect. Here, you can learn more about what malicious packages are, how Snyk detects them, and the recommended actions to take when encountering malicious package issues in your projects.