Product Updates

On Oct 23rd, we deployed an improvement that aligned our hardcoded secrets behavior for JavaScript and Java, causing an increase in CWE-547 (Hardcoded Secrets). Unfortunately the rule change made a larger impact than intended, resulting in reports of false positives. We have decided to roll back the deployment, and this will be pushed to production on Friday, Oct 27th.

Customers may have seen an increase in hardcoded secrets issues, specifically for CWE-547 in JavaScript and Java. Starting Monday, Oct 30th, the issues and any resulting false positives generated last week will be corrected.

If you have any questions, please reach out to your account teams.

We’re pleased to share that Snyk's SBOM Test APIs now support SPDX.

Software Package Data Exchange (SPDX) is part of The Linux Foundation® and described as "an open standard for communicating software bill of material information, including provenance, license, security, and other related information".

As a developer, you can now test SPDX 2.3 JSON documents for vulnerabilities. There is no need to specify this in your request, Snyk will automatically detect the SBOM format and test accordingly. This release adds to our existing support for CycloneDX — ensuring you can use both of the leading SBOM specifications.

As always, we’re excited to hear your feedback. Please reach out if you have any questions.

As a continued effort to help our users deliver secure code to production, we have decoupled Snyk Orb from the deprecated Snyk CLI Docker Images. Please note that these are breaking changes and require additional steps after an upgrade to Snyk Orb v2.0.0.

Your existing CircleCI setup will continue to function without interruption, as we are introducing these breaking changes following semantic release conventions. However, to benefit from future improvements to Snyk CLI, we strongly recommend that you upgrade Snyk Orb at your earliest convenience. A readme with code examples is here to help you get started.

Once upgraded, please make the following changes, which are breaking changes:

• remove the deprecated scan-iac job, an example of how it was used in previous versions <v2.0.0 is inline
  

  1description: >
  2  Use the Snyk orb inside a build job to scan a container image for known
  3  vulnerabilities
  4
  5usage:
  6  version: 2.1
  7
  8orbs:
  9    snyk: snyk/snyk@1.7.2
  10
  11  workflows:
  12    test:
  13      jobs:
  14        - snyk/scan-iac

• and, please switch to using snyk/scan instead, an example is inline
  

  1description: >
  2  Use the Snyk orb inside a build job to scan a container image for known
  3  vulnerabilities
  4
  5usage:
  6  version: 2.1
  7
  8  orbs:
  9    snyk: snyk/snyk@2.0.0
  10
  11  workflows:
  12    test:
  13      jobs:
  14        - snyk/scan:
  15            command: iac test

  To learn more about our CI/CD integrations, our product docs are here.

As a continued effort to help our users deliver secure code to production, we have decoupled Snyk Scan from the deprecated Snyk CLI Docker Images. Please note that these are breaking changes, and require additional steps after an upgrade to Snyk Scan v1.0.0.

Your existing Bitbucket setup will continue to function without interruption, as we are introducing these breaking changes following semantic release conventions. However, to benefit from future improvements to Snyk CLI, we strongly recommend that you upgrade Snyk Scan at your earliest convenience. A readme with code examples is here to help you get started.

Once upgraded, you are required to switch from using deprecated Snyk CLI base images to Snyk Images base images.

To do so, please

• update the LANGUAGE variable to use supported tags from Snyk Images,

• or, you can follow these instructions to build your own image.

To learn more about our CI/CD integrations, our product docs are here.

Starting October 26th, Snyk Code will begin the 3 month process of deprecating Python 2 language support. Further, we plan to End of Life (EOL) on January 23, 2024, where Python 2 support will be terminated. For context, Python 2 has been unsupported by Python.org since January 2020.

This means that no new development work and no new support tickets related to Python 2 will be processed. Existing Python 2 projects will continue to be scanned until EOL. After EOL, Python 2 findings will no longer appear in your results.

Note that support for Python 3 will not be affected and continue as usual.

If you are using Python 2, please reach out to your account teams.

We're pleased to share that scanning deployed Azure cloud environments is now GA for Snyk IaC customers on an enterprise plan. You can now secure your Azure infrastructure from code - with IaC template scanning for Azure Resource Manager(ARM) and Terraform - to the cloud.

Users can now:

• Onboard Azure subscriptions via API and UI, and scan and test Azure resources with our security rules

• Find and fix misconfigurations identified by Snyk in the org-wide Cloud issues UI, or in the REST API for issues

• View an inventory of Azure resources with the GET /cloud/resources endpoint

Please see our User Docs for more details, and contact your account team with any questions.

We're thrilled to share that our SBOM Test APIs now support a wider range of Open Source languages and ecosystems! Now you can test CycloneDX SBOM documents for vulnerabilities across the following purl types: cargo, cocoapods, composer, gem, golang, hex, maven, npm, nuget, pypi, swift, or generic for unmanaged C/C++.

We hope this milestone helps you adopt SBOMs within your developer workflows and expand testing coverage for a greater number of assets.

Please see our User Docs for more information and reach out if you have any questions.

We are pleased to announce that – going forward as of version 1.1230.0 – Snyk CLI natively supports Apple silicon. You are no longer required to manually install Apple’s Rosetta 2 before installing Snyk CLI.

For our Apple silicon users this means, whether you are installing directly – via any of our supported installation methods – or via an IDE plugin, the correct and latest Apple silicon build will be selected and installed on the system automatically.

With this improvement, our Apple silicon users will be able to

• experience a simplified Snyk CLI installation,

• and secure code without compromising on productivity, performance, or their compliance needs.

To get started with Snyk CLI, or for more information, please read the docs.

We are excited to announce the Beta release of the new Issues API REST endpoints, which unifies all Snyk issues (SCA, SAST, Cloud) across projects or orgs into one API call. The Unified Issues API approach offers several key benefits:

• Simplifies the user experience with one paginated API call across all projects or orgs

• Saves time by eliminating the need to stitch data across various calls and offering a consistent schema to parse responses with

• Highlights our commitment to building Snyk as a holistic security platform

The Beta version builds on the Experimental versions with the following new features:

• Stable UUIDs which will not change with releases of future versions thus minimizing breaking changes going forward

• New Risk Score and Factors allowing for assessing risk using broader issue, application and business context

• Increased performance profile with faster response times

Please check out the API docs for listing all issues by group, and by org.

Following the incident last Friday, October 6th, we’re temporarily rolling back PHP Interfile starting today as part of our mitigation strategy. For customers with PHP code, you may see a decreased number of results.

We recognize the importance of PHP Interfile and are actively working towards a solution.

We don’t have a confirmed timeline yet, but will provide updates once the situation stabilizes.

Please reach out with any questions.