Product Updates

As a continued effort to help our users deliver secure code to production, we have decoupled Snyk Orb from the deprecated Snyk CLI Docker Images. Please note that these are breaking changes and require additional steps after an upgrade to Snyk Orb v2.0.0.

Your existing CircleCI setup will continue to function without interruption, as we are introducing these breaking changes following semantic release conventions. However, to benefit from future improvements to Snyk CLI, we strongly recommend that you upgrade Snyk Orb at your earliest convenience. A readme with code examples is here to help you get started.

Once upgraded, please make the following changes, which are breaking changes:

• remove the deprecated scan-iac job, an example of how it was used in previous versions <v2.0.0 is inline
  

  1description: >
  2  Use the Snyk orb inside a build job to scan a container image for known
  3  vulnerabilities
  4
  5usage:
  6  version: 2.1
  7
  8orbs:
  9    snyk: snyk/snyk@1.7.2
  10
  11  workflows:
  12    test:
  13      jobs:
  14        - snyk/scan-iac

• and, please switch to using snyk/scan instead, an example is inline
  

  1description: >
  2  Use the Snyk orb inside a build job to scan a container image for known
  3  vulnerabilities
  4
  5usage:
  6  version: 2.1
  7
  8  orbs:
  9    snyk: snyk/snyk@2.0.0
  10
  11  workflows:
  12    test:
  13      jobs:
  14        - snyk/scan:
  15            command: iac test

  To learn more about our CI/CD integrations, our product docs are here.

As a continued effort to help our users deliver secure code to production, we have decoupled Snyk Scan from the deprecated Snyk CLI Docker Images. Please note that these are breaking changes, and require additional steps after an upgrade to Snyk Scan v1.0.0.

Your existing Bitbucket setup will continue to function without interruption, as we are introducing these breaking changes following semantic release conventions. However, to benefit from future improvements to Snyk CLI, we strongly recommend that you upgrade Snyk Scan at your earliest convenience. A readme with code examples is here to help you get started.

Once upgraded, you are required to switch from using deprecated Snyk CLI base images to Snyk Images base images.

To do so, please

• update the LANGUAGE variable to use supported tags from Snyk Images,

• or, you can follow these instructions to build your own image.

To learn more about our CI/CD integrations, our product docs are here.

Starting October 26th, Snyk Code will begin the 3 month process of deprecating Python 2 language support. Further, we plan to End of Life (EOL) on January 23, 2024, where Python 2 support will be terminated. For context, Python 2 has been unsupported by Python.org since January 2020.

This means that no new development work and no new support tickets related to Python 2 will be processed. Existing Python 2 projects will continue to be scanned until EOL. After EOL, Python 2 findings will no longer appear in your results.

Note that support for Python 3 will not be affected and continue as usual.

If you are using Python 2, please reach out to your account teams.

We're pleased to share that scanning deployed Azure cloud environments is now GA for Snyk IaC customers on an enterprise plan. You can now secure your Azure infrastructure from code - with IaC template scanning for Azure Resource Manager(ARM) and Terraform - to the cloud.

Users can now:

• Onboard Azure subscriptions via API and UI, and scan and test Azure resources with our security rules

• Find and fix misconfigurations identified by Snyk in the org-wide Cloud issues UI, or in the REST API for issues

• View an inventory of Azure resources with the GET /cloud/resources endpoint

Please see our User Docs for more details, and contact your account team with any questions.

We're thrilled to share that our SBOM Test APIs now support a wider range of Open Source languages and ecosystems! Now you can test CycloneDX SBOM documents for vulnerabilities across the following purl types: cargo, cocoapods, composer, gem, golang, hex, maven, npm, nuget, pypi, swift, or generic for unmanaged C/C++.

We hope this milestone helps you adopt SBOMs within your developer workflows and expand testing coverage for a greater number of assets.

Please see our User Docs for more information and reach out if you have any questions.

We are pleased to announce that – going forward as of version 1.1230.0 – Snyk CLI natively supports Apple silicon. You are no longer required to manually install Apple’s Rosetta 2 before installing Snyk CLI.

For our Apple silicon users this means, whether you are installing directly – via any of our supported installation methods – or via an IDE plugin, the correct and latest Apple silicon build will be selected and installed on the system automatically.

With this improvement, our Apple silicon users will be able to

• experience a simplified Snyk CLI installation,

• and secure code without compromising on productivity, performance, or their compliance needs.

To get started with Snyk CLI, or for more information, please read the docs.

We are excited to announce the Beta release of the new Issues API REST endpoints, which unifies all Snyk issues (SCA, SAST, Cloud) across projects or orgs into one API call. The Unified Issues API approach offers several key benefits:

• Simplifies the user experience with one paginated API call across all projects or orgs

• Saves time by eliminating the need to stitch data across various calls and offering a consistent schema to parse responses with

• Highlights our commitment to building Snyk as a holistic security platform

The Beta version builds on the Experimental versions with the following new features:

• Stable UUIDs which will not change with releases of future versions thus minimizing breaking changes going forward

• New Risk Score and Factors allowing for assessing risk using broader issue, application and business context

• Increased performance profile with faster response times

Please check out the API docs for listing all issues by group, and by org.

Following the incident last Friday, October 6th, we’re temporarily rolling back PHP Interfile starting today as part of our mitigation strategy. For customers with PHP code, you may see a decreased number of results.

We recognize the importance of PHP Interfile and are actively working towards a solution.

We don’t have a confirmed timeline yet, but will provide updates once the situation stabilizes.

Please reach out with any questions.

We recently announced a plan to sunset the v1 List all projects API (from June 22nd 2023, with an end-of-life on December 22nd 2023) in favor of the REST List All Projects for an org API.

Starting from October, we will be scheduling brownouts where we will be periodically removing this endpoint for a scheduled period of time. Here is the schedule:

• October 23rd for 1 hour starting at 12:00 UTC

• November 16th for 2 hours starting at 06:00 UTC

• December 6th for 4 hours starting 17:00 UTC

During these time windows, the API will return 410 Gone for all requests. If you require further support during this period, please raise a support ticket.

Please refer to this guide to move all your automations over to replacement endpoints. If you require further support during this period, please raise a support ticket.

curl is a popular command-line tool for transferring data using various network protocols. curl is used almost ubiquitously, and shipped with almost all Linux distributions.

The curl maintainer announced recently that on Oct 11, 2023, at around 6:00 UTC, a new version 8.4.0 of curl and libcurl will be released, to address a High severity vulnerability, which is assigned to CVE-2023-38545.

In the maintainer’s own words:

This is probably the worst security problem found in curl in a long time.

Please be advised to follow updates and upgrade to the latest version once available.

While not all security data is currently available, and the exact impact of this issue is still to be determined, Snyk Security Team is monitoring for updates, will update the curl security advisory accordingly, and will share more information in the following blog post: High severity vulnerability found in libcurl and curl.