A hands-on session to see how you can implement Snyk Code and Snyk Open Source early, to easily find and fix both security issues in their own proprietary code as well as known vulnerabilities in their open source dependencies, reducing risk and accelerate the software development.
- public GitHub account - http://github.com
- git CLI - https://git-scm.com/downloads
- snyk CLI - https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI
- Registered account on Snyk App - http://app.snyk.io
In this hands-on workshop we will achieve the following:
Snyk Code steps
- Step 3 - Enable Snyk Code within Snyk App
- Step 4 - Add project to find Snyk Code Vulnerabilities
- Step 5 - Run a Snyk Code CLI Test
Snyk Open Source steps
Set up GitHub Actions to run Snyk Code and Snyk Open Source
- Step 9 - Retrieve the Snyk API token from Snyk App
- Step 10 - Add the Snyk API token into the GitHub repository secret
- Step 11 - Create the GitHub Actions workflow
NOTE: It is assumed your using a mac for these steps, but it should also work on Windows or linux with some modifications to the scripts potentially.
NOTE: You may have already forked the Juice-Shop application in that case go ahead and skip this step
Navigate to the following GitHub repo - https://github.com/juice-shop/juice-shop
NOTE: this repo comes from the project Juice Shop from OWASP
- Click on the "Fork" button
- Ensure you are forking this repo to your public GitHub account
- Click done
NOTE: You may have already setup GitHub integration in that case go ahead and skip this step
First we need to connect Snyk to GitHub so we can import our Repository. Do so by following these steps below:
- Login to http://app.snyk.io Sign up if you haven't already.
- Navigating to Integrations -> Source Control -> GitHub
- Fill in your Account Credentials to Connect your GitHub Account.
Snyk Code is developer-first, embedding SAST as part of the development process, enabling developers to build software securely during development, not trying to find and fix problems after the code is compiled. Snyk Code works in the IDEs and SCMs developers use to build and review software and provides fast, actionable, meaningful results to fix issues in real-time
- Click on the "Settings" button on the top most navigation bar as shown below
- Click on "Snyk Code", then enable it and click "Save Changes" as shown below
Now that Snyk is connected to your GitHub Account, import the Forked Repo "juice-shop" into Snyk as a Project.
- Navigate to Projects
- Click "Add Project" then select "GitHub"
- Click on the Repo you forked "juice-shop"
- Click "Add Selected Repositories"
- Once complete you should see a "Code Analysis" project as shown below
- Click on "Code Analysis" to view our SAST scan results
For each Vulnerability, Snyk displays the following:
- Each Vulnerability grouped by severity
- Each Vulnerability links to the CWE category code
- Each Vulnerability shows the CWE category name
- Displays the line of code where the security issue exists
- Description for the issue and the code file name it exists in
- A link to a Snyk Learn module on how to fix these type of vulnerabilities if available
- The ability to ignore issues you wish to remove from the list
- Click on the "Full Details" button as shown below
Snyk products all provide a developer-friendly experience, so Snyk Code helps developers to quickly understand the problem, learn the background, and how to approach it. Snyk Code helps you understand the dangerous code flow step-by-step. For every issue, Code also provides a link to the lines in the relevant files, to view more details on the problem like the CWE, and how to approach it.
- Click on "Fix Analysis" to see how you can fix the issue based on other open source project. On this page you get not just source code example fixes but also the following detailed information
- Details
- Types Of Attacks
- Affected Environments
- How to prevent
In addition to the Snyk App UI we also have, snyk - CLI a build-time tool to find & fix known vulnerabilities in open-source dependencies, IaC configuration files and SAST scans on the source code files itself (Snyk Code).
- Before we get started please make sure you have setup the Snyk CLI. There are various install options as per the links below. Using the prebuilt binaries means you don't have to install NPM to install the Snyk CLI.
- Install Page - https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI
- Prebuilt Binaries - https://github.com/snyk/snyk/releases
Note: Please ensure you have the latest version of the Snyk CLI installed a version equal to or greater than the version below
$ snyk --version
1.801.0- Authorize the Snyk CLI with your account as follows
$ snyk auth
Now redirecting you to our auth page, go ahead and log in,
and once the auth is complete, return to this prompt and you'll
be ready to start using snyk.
If you can't wait use this url:
https://snyk.io/login?token=ff75a099-4a9f-4b3d-b75c-bf9847672e9c&utm_medium=cli&utm_source=cli&utm_campaign=cli&os=darwin&docker=false
Your account has been authenticated. Snyk is now ready to be used.- Clone your forked repository as shown below. You can use your own GitHub forked repo here instead of the one shown below if you like
$ git clone https://github.com/jiajunngjj/juice-shop
Cloning into 'juice-shop'...
remote: Enumerating objects: 94967, done.
remote: Counting objects: 100% (17/17), done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 94967 (delta 5), reused 13 (delta 4), pack-reused 94950
Receiving objects: 100% (94967/94967), 157.66 MiB | 10.35 MiB/s, done.
Resolving deltas: 100% (72676/72676), done.- Change to the "juice-shop" directory
$ cd juice-shop- At this point let's go ahead and run our first "snyk code test" as shown below
$ snyk code test
Testing /Users/jiajun/workspace/github/juice-shop ...
✗ [Low] Cleartext Transmission of Sensitive Information
Path: test/e2eSubfolder.js, line 7
Info: http (used in require) is an insecure protocol and should not be used in new code.
✗ [Low] Cleartext Transmission of Sensitive Information
Path: test/api/productReviewApiSpec.js, line 9
Info: http (used in require) is an insecure protocol and should not be used in new code.
...
✗ [High] Server-Side Request Forgery (SSRF)
Path: routes/profileImageUrlUpload.js, line 19
Info: Unsanitized input from the HTTP request body flows into request.get, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
✗ [High] Server-Side Request Forgery (SSRF)
Path: frontend/src/app/Services/configuration.service.ts, line 111
Info: Unsanitized input from data from a remote resource flows into get, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
✗ [High] Improper Neutralization of Directives in Statically Saved Code
Path: routes/userProfile.js, line 46
Info: Unsanitized input from cookies flows into pug.compile, where it is used to construct a template that gets rendered. This may result in a Server-Side Template Injection vulnerability.
✔ Test completed
Organization: jj.ng
Test type: Static code analysis
Project path: /Users/jiajun/workspace/github/juice-shop
267 Code issues found
28 [High] 86 [Medium] 153 [Low
Snyk Open Source is a Software Composition Analysis took which seamlessly and proactively finds, prioritizes and fixes vulnerabilities and license violations in open source dependencies
- Since Juice-Shop project had been imported in the Step 3, you should see multiple "package.json" projects as shown below.
- Click on the second "package.json" to view our Open Source scan results
First let's explore the Juice-Shop project risks by clicking on the "package.json" file which is the manifest file where the open source dependencies are declared.
Thenk go back on the Snyk WebUI and let's have a look at the vulnerabilities.
For each Vulnerability, Snyk displays the following ordered by our Proprietary Priority Score :
- The module that introduced it and, in the case of transitive dependencies, its direct dependency,
- Details on the path and proposed Remediation, as well as the specific vulnerable functions
- Overview
- Exploit maturity
- Links to CWE, CVE and CVSS Score
- Plus more ...
When using the GitHub integration, and if a fix is available, Snyk can automatically upgrade the vulnerable dependency to a non-vulnerable version through a Pull Request.
- Click on "Fix this vulnerability" for "Prototype Pollution" issue as shown below
- On the next screen, you'll be able to confirm the issue to fix with this PR. Click "Open a Fix PR"
- Once it's ready, you'll be taken to the PR in GitHub, where you can review the changes in the file diff view:
Snyk integrates with your preferred Git repository to scan your manifest files for any new code and potential vulnerabilities whenever you submit a pull request (PR), protecting the security of your code before you ever merge it with the main branch
- We see that CI checks completed successfully, assuring us we didn't introduce a breaking change
- Optionally now, go ahead and merge the PR!
- Back in Snyk we can appreciate that our package.json file has 1 less Critical Severity Vulnerability if you did fix it
In addition to the Snyk App UI we also have, snyk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies. The CLI is what is used in DevOps pipelines to introduce Application Security Scans as part of that workflow to push applications into production.
- Before we get started please make sure you have setup the Snyk CLI. There are various install options as per the links below. Using the prebuilt binaries means you don't have to install NPM to install the Snyk CLI.
- Install Page - https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI
- Prebuilt Binaries - https://github.com/snyk/snyk/releases
- In order to run a Snyk CLI test we must install the npm packages so if you have npm in your path you can install them as follows
Check your Node version:
$ node -vNote: If you're using Node version v14.x or v16.x or v18.x, you can proceed to the next step (npm install), else please set up Node version 14 (Juice-Shop supported compatibility)
For MacOS brew user:
$ brew install node@14
$ export PATH="/usr/local/opt/node@14/bin:$PATH"For Windows/Linux nvm user:
$ nvm install 14
$ nvm list
$ nvm use version-numberWith the right Node version, run:
$ npm installNote: If you don't have npm installed this you can skip this final step as a "snyk test" will not work without a package-lock.json file or the "node_modules" folder
- Once npm is installed run a Snyk CLI test as follows
❯ snyk test --all-projects
Testing /Users/jiajun/workspace/github/juice-shop...
Tested 898 dependencies for known issues, found 37 issues, 52 vulnerable paths.
Issues to fix by upgrading:
Upgrade concurrently@5.3.0 to concurrently@6.0.0 to fix
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@4.1.0
introduced by concurrently@5.3.0 > yargs@13.3.2 > string-width@3.1.0 > strip-ansi@5.2.0 > ansi-regex@4.1.0 and 8 other path(s)
Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix
✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/npm:moment:20170905] in moment@2.0.0
introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0
...
✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541000] in node-sass@4.14.1
introduced by node-sass@4.14.1
No upgrade or patch available
✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541002] in node-sass@4.14.1
introduced by node-sass@4.14.1
No upgrade or patch available
License issues:
✗ GPL-3.0 license (new) [High Severity][https://snyk.io/vuln/snyk:lic:npm:qrious:GPL-3.0] in qrious@4.0.2
introduced by anuglar2-qrcode@2.0.9998 > qrious@4.0.2
Organization: workshop
Package manager: npm
Target file: frontend/package.json
Project name: frontend
Open source: no
Project path: /Users/jiajun/workspace/github/juice-shop
Licenses: enabled
Tip: Run `snyk wizard` to address these issues.
Tested 2 projects, 2 contained vulnerable paths.
Snyk integrates with your CI/CD pipelines to provide the ability to prevent critical vulnerabilities from going into production. Adequate security gates are essential in ensuring the appropriate quality is delivered in an automated fashion and nothing serious slips through by accident.
- Login to http://app.snyk.io
- Navigating to Settings -> Service Accounts
- Create a new service account, ghactions
- Assign the role, Org Admin
- Once created, copy the API token to clipboard.
- Navigate to your forked juice-shop repository
- Navigate to Settings
- Click on Secrets
- Click on Actions
- Click on New repository secret
- Use SNYK_TOKEN as the name of the secret
- Paste your Snyk API token from Step 10
- Click Add secret
- Navigate to your forked juice-shop repository
- Navigate to Actions
- Click on new workflow
- Click on Set up a workflow yourself
- Copy and paste the following to the main.yml:
name: "Snyk Code and Snyk Open Source Test"
on:
push:
branches:
- master
jobs:
Pipeline-Job:
# Configure Environment
name: 'Snyk Test'
runs-on: ubuntu-latest
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
steps:
# Checkout Code
- name: Checkout Code
uses: actions/checkout@v1
# Install and Authenticate to Snyk
- name: Install Snyk & Authenticate
run: |
sudo npm install -g snyk
echo ${SNYK_TOKEN}
snyk auth ${SNYK_TOKEN}
# Run Snyk Code
- name: Snyk Code test
run: |
snyk code test
continue-on-error: true
# Run Snyk Open Source
- name: Snyk Open Source test
run: |
snyk test
continue-on-error: true- Click on Start commit
- Click on Commit new file
Congratulations, you have completed. Thanks for attending and completing this workshop
JJ [jj.ng at snyk.io] is a Solution Engineer at Snyk APJ