When creating applications, especially those that use Open Source libraries, how do one know if a library is reliable enough to use and whether it has patched serious security holes before?

To answer the above questions, I am going to introduce you to a tool that our project team had used to assess hundreds of product repository for in-time detection of serious security issues prevalent in products. The tool I am talking about here is no other than Snyk.

Why Snyk?

  • Snyk allows vulnerability assessment in most programming languages, including: Java, .Net, Javasripts, Python…
  • Synk can be easily integrated with Source controls like GitHub, GitLab, Bitbucket and Container registries like ECR, GCR, Docker Hub…
  • Snyk can be easily integrated in CI processes like Jenkins, Circle CI…
  • Snyk support UI for notifications of security issues and friendly management of products;
  • Snyk allows easy creation of Pull Requests and Jira tickets for reported issues;
  • Snyk allows self-assessment and notification in case of new security reports.
  • And various other features that you can discover in the DEMO ver gettable from Synk website: https://snyk.io/.

Is Snyk free?

Yes, Snyk is free, most aforementioned features are included in the free plan. You can consider the paid plan for further features. Full list of plan at: https://snyk.io/plans/#tabpanel-1.

Snyk CLI

Snyk allows scanning of local repositories via Synk CLI, which is quite simple to use. You can follow the steps below:

1. Install

First, you need to install Snyk CLI in local:

Notice: You will need a Node.js environment to carry out the npm command, which can be download from https://nodejs.org/en/download/.

2. Log in

Snyk always require log in first and foremost. This can be done both with free and paid accounts. Start this command:

After this, Snyk will open the default browser on the system you are using for log in. Log in as normal with https://snyk.io/.

Successful attempts will receive a notification as below:

3. Test/Scan

You can now perform vulnerability assessment for libraries that your application is using. Choose the folder that you want to scan and type in this test command:

Notice: When carrying out this command, Snyk will not download the libraries that you have configured for your project, it will only use the information prevalent in the environment of your command to ensure that Synk is seeing the final versions of the configured libraries. Therefore, it is important to started installation, building, and so on, before carrying out the test command.

You will receive the following result after testing is completed:

Reading a Snyk report

1. Vulnerability Severity

You can see the severity of security issues via keywords of [High Severity], [Mideum Severity] and [Low Severity]. For [High Severity] issues, you should establish a patching plan as soon as possible.

2. Type of issue

If you cannot understand which issues are listed on the report and their corresponding severity, you can visit the link provided by Snyk in the report for more details.

Example:

Details regarding this issue can be found at https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226.

3. How to patch?

Now you have got detailed information in Snyk’s report regarding libraries and other relevant notes:

Look at the second line of the notice:

This means you are using the React library version 15.4.2, which utilizes fbjs version 0.8.17.  This fbjs version is using [email protected] .20, and this may be the version with the vulnerability reported by Snyk.

In the next line we have:

Snyk is telling you that the vulnerability was patched in the 0.7.22 version of ua-parser-js.

So, how to patch? Obviously, what we need to do is not fixing the aforementioned libraries, but rathe update them to newer versions – which was reported by Snyk.

Don’t forget this part which was also in line 2:

This is a part that no one would like to see, as it means the same issue is also prevalent in 177 other libraries used by the application – quite the quantity that will require forever to patch and test upon patching.

Monitor

Local scanning will only allow you to see details regarding the development environment. To bring your project to Snyk’s system and let it automatically scan issues and share your reports to others, you can issue this command:

Snyk’s UI Report

After sending your results to Snyk, everyone in the team can now see it with quite the friendly UI:

The free version is limited in functions and quantities, so to enable further features like Reports (illustrated in the image below), you must purchase a paid plan.

Conclusion

In this day and age where cloud is the priority, security is of utmost importance to ensure your products are safe for users.

Hopefully with this article, you will learn of a new tool that shall assist your product development process, enable timely detection of product vulnerability, and create more secured solutions.

Tran Huu Lap – FPT Software

Related posts: