Product Updates

Today, Snyk is announcing the Open Beta availability of the GitHub Cloud app. The GitHub Cloud App represents a significant advancement over our current GitHub integrations, offering enhanced features such as role-based, granular access control, increased API rate limits, and serving as a foundation for expanded and enriched developer experiences.

After we make this generally available next year, our intention is that this app will replace the existing OAuth (aka "GitHub Enterprise") and PAT (aka "GitHub") based GitHub integrations on our platform.

The Open Beta kicks off with customers in the US-based instance (app.snyk.io) using GitHub Cloud, and supports a single GitHub Org for a Snyk Org. Over the next month, we are committed to further refining the Cloud app, introducing the following improvements:

• In the upcoming month, we plan to extend support to EU and AU environments and enable a single GitHub Org to connect with multiple Snyk Orgs.

• By the end of the year, we will extend this functionality to customers using GitHub Server (on-prem).

We encourage you to connect with your account teams to opt-in, refer to our User Docs for more detailed information. Please don't hesitate to reach out if you have any questions.

At Snyk Code we have been focused on improving the reliability of Snyk Code PR Checks. We released at the end of October an update to one of our most error-prone services, and we have seen major improvements in the reliability, with the service going from being part of 50% of all errors, to close to none. Today, we have rolled out this improvement to all environments.

For customers using Snyk Code PR Checks through the Snyk Broker:

• Please update the Broker to version 4.168.4 or higher (recommended to go to the latest version.

• If you are using a custom accept.json, update to the latest rules.

• If you are using Bitbucket, please make sure you are using Bitbucket 7.0 or above.

We continue to improve the overall reliability and scalability of Snyk Code, and we will have more updates in the coming months. If you have any questions, please reach out to your account teams. Thank you.

Over the past few weeks, we’ve been working to find the root cause and to update internal testing to ensure we identify these type of issues prior to production. As of today, we have turned on the first batch of rules for PHP interfile.

We are rolling out changes in how the analysis handles data flow which will result in significantly shorter and more accurate data flow in complex cases. From our testing, we expect this will change between 0.5-1% of issues across all languages.

After this step, pending positive internal testing, all the PHP interfile rules will be re-enabled over the next two weeks.

If you have any questions, please reach out to your account teams.

Earlier this year, we migrated the ability to perform bulk actions in the Project Listing Page from the Usage page. Another bulk action which was available on the usage page was the "Change Test Frequency" functionality.

To remove friction where you'd have to jump between pages to perform bulk actions on Projects, we've migrated the Change Test Frequency functionality to the Project Listing Page.

For more information on the functionality, check out the user documentation.

In June, we announced the general availability of Project Collections. Since then, we've been gathering feedback on the feature's usability as we aim to go deeper on the experience with automatically created Project Collections.

Based on the feedback, we needed to improve the discoverability of the feature and the experience for users who work on the Target-level. Therefore, we've just released a couple of improvements to the existing functionality:

1. Collections are now present in the Projects area as a standalone tab so that anyone can dive into them quickly and easily.

2. You can see at a glance which Target a Project belongs to within a Collection as we have added a sortable Target column. In addition, we've enabled the ability to filter by Target within a Collection.

We'll be adding more usability improvements to the feature over time, so your feedback is valued. For more information, head to the user documentation.

We announced on June 22nd that we will end-of-life the v1 List All Projects API on December 22nd. Alongside the announcement, we have shared a migration guide and have released enhancements to our GA REST APIs to help facilitate the migration. These APIs will provide more consistent versioning, pagination and caching, and improved performance for you.

In addition, we have two brownouts scheduled where we will be periodically removing this endpoint for a set period of time:

• November 16th for 2 hours starting at 6:00 UTC

• December 6th for 4 hours starting 17:00 UTC

During this time window, the API will return 410 Gonefor all requests. If you require further support during these windows, please raise a support ticket. Review the migration guide below and move all your automations over before December 22, 2023!

On November 14th, Snyk will roll out a change that will broaden Snyk Open Source vulnerabilities granularity to support CVSS vectors assigned by NVD, to support additional compliance workflows.

Background on Snyk IDs and CVE IDs:

For each new vulnerability, Snyk assigns a unique Snyk Identifier (SNYK-ID) and CVSS vector (which translates to score and severity)

This allows Snyk:

• To publish new vulnerabilities faster, even before they have an officially assigned CVE ID.

• To represent the issue in a single, specific package, therefore providing highly accurate information. A CVE ID, on the other hand, represents the vulnerability as a whole security issue and can be associated with multiple affected packages.

A CVE ID, on the other hand, represents the vulnerability as a whole security issue and can be associated with multiple affected packages.

In rare cases, Snyk’s Security Analysts assign multiple CVE IDs to one SNYK-ID. This happens in cases where there is very high similarity or duplicates between multiple CVEs.

Details about the change:

Starting November 14th, cases with multiple CVEs and different NVD CVSS vectors will be separated into multiple advisories (multiple Snyk-IDs), one per CVE. These cases amount to less than 0.6% of Snyk’s vulnerabilities.

This will provide customers with increased vulnerability granularity and ensure compatibility with NVD-provided CVSS vectors.

Snyk’s hand-curated CVSS is recommended for accurate and timely analysis, while NVD CVSS is useful for compliance-based needs, like FedRAMP reports.

To create a report of the vulnerabilities with the NVD CVSS Score: Click on Reports → Modify Columns → and select NVD Severity and NVD Score.

Important notes:

• The number of issues you see might increase. This is due to the change in issue representation to consider NVD CVSS vectors as an independent issue factor.

• After this change, in the rare cases in which multiple CVE IDs are associated with one SNYK-ID, the NVD CVSS vector provided will be relevant for both CVE IDs. A retest, a manual test, or a scheduled scan for monitored Projects, is needed to see the changes.

• Although the overall number of issues (Snyk Open Source) might increase due to the broadening of the granularity to include NVD and CVSS vectors, these issues can be solved with the same fix.

• If a new advisory was created from an ignored issue, it will still appear in the Project. If not relevant, the new issue will need to be ignored as well. This is because the new advisory has a different NVD CVSS score, and Snyk cannot assume it is irrelevant to your Project.

• The Snyk CVSS will remain similar between the advisories.

• The related CVE, which the advisory was separated from, will be included in the advisory details.

Snyk has now made it easier to determine what issues have a fix available and what issues Snyk can potentially help you fix!

When you're analyzing the issues in your project, in addition to our existing fixability filter, we've now introduced a new feature that allows you to identify security issues with a known fix in general, irrespective of whether we can directly assist you.

This enhancement provides you with a comprehensive view of potential vulnerabilities and solutions, enabling you to make more informed decisions about your security posture while we are continously working in supporting more and more ecosystems and fixes.

Try our new "Fixed In" Available filter in the Projects Dashboard and be on top of your issues! You can read more about it here.

Over the next two weeks, we continue to enhance Snyk Code. As a result, we will be making the following improvements:

• Java: Adding equality sanitizers to support equality checks. Potential decrease in all issues

• Java, Kotlin, Scala: Adding support for Open Redirect URL sanitizers. Potential decrease in CWE-601 issues

If you have any questions, please reach out to your account teams.

Over the next two weeks, we continue to enhance Snyk Code. As a result, we will be making the following improvements in the next few weeks:

• PHP: Improving sanitizers by adding support for PHP8 Type declarations. Potential decrease in issues

• Python: Improving sanitizers. Potential decrease in issues

• VB.NET: Improving coverage for customer applications. Potential increase in issues

If you have any questions, please reach out to your account teams.