DependencyTrack · nscuro · Oct 21, 2022 · Oct 17, 2022 · Oct 17, 2022 · Oct 19, 2022
diff --git a/src/assets/scss/_custom.scss b/src/assets/scss/_custom.scss
@@ -92,6 +92,10 @@
   background-color: #AFE4BF;
   border: 1px solid #73D08F;
 }
+.label-source-snyk {
+  background-color: #afd2e4;
+  border: 1px solid #73c1d0;
+}
 .label-source-vulndb {
   background-color: #FFC78B;
   border: 1px solid #FE9536;

diff --git a/src/i18n/locales/en.json b/src/i18n/locales/en.json
@@ -151,6 +151,7 @@
     "cvss_attack_vector": "Attack Vector",
     "cvss_access_complexity": "Access Complexity",
     "cvss_attack_complexity": "Attack Complexity",
+    "cvss_source": "Select source priority for CVSS",
     "cvss_privileges_required": "Privileges Required",
     "cvss_user_interaction": "User Interaction",
     "cvss_required": "Required",
@@ -395,6 +396,7 @@
     "internal_analyzer": "Internal",
     "oss_index": "Sonatype OSS Index",
     "vulndb": "VulnDB",
+    "snyk": "Snyk (Beta)",
     "vuln_sources": "Vulnerability Sources",
     "nvd": "NVD",
     "national_vulnerability_database": "National Vulnerability Database",
@@ -459,6 +461,9 @@
     "analyzer_ossindex_desc": "OSS Index is a service provided by Sonatype which identifies vulnerabilities in third-party components. Dependency-Track integrates natively with the OSS Index service to provide highly accurate results. Use of this analyzer requires a valid PackageURL for the components being analyzed.",
     "analyzer_vulndb_enable": "Enable VulnDB analyzer",
     "analyzer_vulndb_desc": "VulnDB is a commercial service from Risk Based Security which identifies vulnerabilities in third-party components. Dependency-Track integrates natively with the VulnDB service to provide highly accurate results. Use of this analyzer requires a valid CPE for the components being analyzed.",
+    "analyzer_snyk_enable": "Enable Snyk analyzer",
+    "analyzer_snyk_desc": "New Snyk API allows users to query vulnerabilities for specific packages using purl.",
+    "analyzer_snyk_why_multiple_cvss": "Why are there multiple CVSS Scores for the same vulnerability?",
     "vulnsource_nvd_enable": "Enable National Vulnerability Database mirroring",
     "vulnsource_nvd_desc": "The National Vulnerability Database (NVD) is the largest publicly available source of vulnerability intelligence. It is maintained by a group within the National Institute of Standards and Technology (NIST) and builds upon the work of MITRE and others. Vulnerabilities in the NVD are called Common Vulnerabilities and Exposures (CVE). There are over 100,000 CVEs documented in the NVD spanning from the 1990’s to the present.",
     "vulnsource_nvd_feeds_url": "NVD Feeds URL",
@@ -467,8 +472,12 @@
     "vulnsource_osv_advisories_enable": "Select ecosystem to enable Google OSV Advisory mirroring",
     "vulnsource_osv_advisories_desc": "Google OSV is a distributed vulnerability and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source. It serves as an aggregator of vulnerability databases that have adopted the OpenSSF Vulnerability format.",
     "vulnsource_osv_base_url": "OSV Base URL",
+    "select_ecosystem": "Select Ecosystems",
     "registered_email_address": "Registered email address",
     "api_token": "API token",
+    "org_id": "Organization ID",
+    "api_version": "API Version",
+    "api_version_warning": "Warning: Changing default version may break the integration. Refer the documentation.",
     "consumer_key": "Consumer key",
     "consumer_secret": "Consumer secret",
     "personal_access_token": "Personal Access Token",

diff --git a/src/shared/common.js b/src/shared/common.js
@@ -108,6 +108,8 @@ $common.formatAnalyzerLabel = function formatAnalyzerLabel(analyzer, vulnSource,
         analyzerUrl = "https://github.com/advisories/" + vulnId;
       } else if(vulnSource === "OSV") {
         analyzerUrl = "https://osv.dev/vulnerability/" + vulnId;
+      } else if(vulnSource === "SNYK") {
+        analyzerUrl = "https://security.snyk.io/vuln/" + vulnId;
       }
       break;
     case 'OSSINDEX_ANALYZER':
@@ -118,6 +120,10 @@ $common.formatAnalyzerLabel = function formatAnalyzerLabel(analyzer, vulnSource,
       analyzerLabel = "VulnDB";
       analyzerUrl = "https://vulndb.cyberriskanalytics.com/vulnerabilities/" + vulnId;
       break;
+    case 'SNYK_ANALYZER':
+      analyzerLabel = "Snyk";
+      analyzerUrl = "https://security.snyk.io/vuln/" + vulnId;
+      break;
   }
   if (analyzerUrl) {
     analyzerLabel = `<a href="${analyzerUrl}" target="_blank">${analyzerLabel} <i class="fa fa-external-link"></i></a>`;

diff --git a/src/views/administration/AdminMenu.vue b/src/views/administration/AdminMenu.vue
@@ -85,6 +85,11 @@
                 component: "VulnDbAnalyzer",
                 name: this.$t('admin.vulndb'),
                 href: "#scannerVulnDbTab"
+              },
+              {
+                component: "SnykAnalyzer",
+                name: this.$t('admin.snyk'),
+                href: "#scannerSnykTab"
               }
             ]
           },

diff --git a/src/views/administration/Administration.vue b/src/views/administration/Administration.vue
@@ -28,6 +28,7 @@
   import InternalAnalyzer from "./analyzers/InternalAnalyzer";
   import OssIndexAnalyzer from "./analyzers/OssIndexAnalyzer";
   import VulnDbAnalyzer from "./analyzers/VulnDbAnalyzer";
+  import SnykAnalyzer from "./analyzers/SnykAnalyzer";
   // Vulnerability sources
   import VulnSourceNvd from "./vuln-sources/VulnSourceNvd";
   import VulnSourceGitHubAdvisories from "./vuln-sources/VulnSourceGitHubAdvisories";
@@ -63,7 +64,7 @@
       EventBus,
       AdminMenu,
       General, BomFormats, Email, InternalComponents, TaskScheduler,
-      InternalAnalyzer, OssIndexAnalyzer, VulnDbAnalyzer,
+      InternalAnalyzer, OssIndexAnalyzer, VulnDbAnalyzer, SnykAnalyzer,
       VulnSourceNvd, VulnSourceGitHubAdvisories, VulnSourceOSVAdvisories,
       Cargo, Composer, Gem, GoModules, Hex, Maven, Npm, Nuget, Python,
       Alerts, Templates,

diff --git a/src/views/administration/analyzers/SnykAnalyzer.vue b/src/views/administration/analyzers/SnykAnalyzer.vue
@@ -0,0 +1,128 @@
+<template>
+    <b-card no-body :header="header">
+      <b-card-body>
+        <c-switch id="scannerEnabled" color="primary" v-model="scannerEnabled" label v-bind="labelIcon" />{{$t('admin.analyzer_snyk_enable')}}
+        <hr/>
+        <b-validated-input-group-form-input
+          id="snyk-baseUrl"
+          :label="$t('admin.base_url')"
+          input-group-size="mb-3"
+          rules="required"
+          v-model="baseUrl"
+          lazy="true"
+        />
+        <b-validated-input-group-form-input
+          id="snyk-orgId"
+          :label="$t('admin.org_id')"
+          input-group-size="mb-3"
+          rules="required"
+          v-model="orgId"
+          lazy="true"
+        />
+        <b-validated-input-group-form-input
+          id="snyk-apitoken"
+          :label="$t('admin.api_token')"
+          input-group-size="mb-3"
+          rules="required"
+          type="password"
+          v-model="apitoken"
+          lazy="true"
+        />
+        <b-validated-input-group-form-input
+          id="snyk-apiVersion"
+          :label="$t('admin.api_version')"
+          input-group-size="mb-3"
+          rules="required"
+          v-model="apiVersion"
+          lazy="true"
+        />
+        <i>{{ $t('admin.api_version_warning') }}</i>
+        <b-row style="margin-top:2rem;">
+          <b-col sm="6">
+            <b-form-group :label="$t('message.cvss_source')" v-slot="{ cvssSource }">
+              <b-form-radio-group v-model="cvssSourceSelected" :options="cvssOptions"
+                                  :aria-describedby="cvssSource" name="radios-btn-default"
+                                  v-on:change="generateCvssV2Vector" button-variant="outline-primary"
+                                  class="cvss-calc cvss-calc-3-btn" buttons />
+            </b-form-group>
+          </b-col>
+        </b-row>
+        <a :href="apiDocUrl">{{$t('admin.analyzer_snyk_why_multiple_cvss')}}</a>
+        <hr/>
+        {{ $t('admin.analyzer_snyk_desc') }}
+      </b-card-body>
+      <b-card-footer>
+        <b-button variant="outline-primary" class="px-4" @click="saveChanges">{{ $t('message.update') }}</b-button>
+      </b-card-footer>
+    </b-card>
+  </template>
+
+  <script>
+    import { Switch as cSwitch } from '@coreui/vue';
+    import BValidatedInputGroupFormInput from '../../../forms/BValidatedInputGroupFormInput';
+    import common from "../../../shared/common";
+    import configPropertyMixin from "../mixins/configPropertyMixin";
+    export default {
+      mixins: [configPropertyMixin],
+      props: {
+        header: String
+      },
+      components: {
+        cSwitch,
+        BValidatedInputGroupFormInput
+      },
+      data() {
+        return {
+          scannerEnabled: false,
+          apitoken: '',
+          apiVersion: '',
+          baseUrl: '',
+          orgId: '',
+          cvssOptions: [
+            'NVD',
+            'SNYK'
+          ],
+          cvssSourceSelected: '',
+          apiDocUrl: 'https://docs.snyk.io/features/fixing-and-prioritizing-issues/issue-management/severity-levels#understanding-snyks-vulnerability-analysis',
+          labelIcon: {
+            dataOn: '\u2713',
+            dataOff: '\u2715'
+          },
+        }
+      },
+      methods: {
+        saveChanges: function() {
+          this.updateConfigProperties([
+            {groupName: 'scanner', propertyName: 'snyk.enabled', propertyValue: this.scannerEnabled},
+            {groupName: 'scanner', propertyName: 'snyk.api.token', propertyValue: this.apitoken},
+            {groupName: 'scanner', propertyName: 'snyk.org.id', propertyValue: this.orgId},
+            {groupName: 'scanner', propertyName: 'snyk.base.url', propertyValue: this.baseUrl},
+            {groupName: 'scanner', propertyName: 'snyk.cvss.source', propertyValue: this.cvssSourceSelected},
+            {groupName: 'scanner', propertyName: 'snyk.api.version', propertyValue: this.apiVersion}
+          ]);
+        }
+      },
+      created () {
+        this.axios.get(this.configUrl).then((response) => {
+          let configItems = response.data.filter(function (item) { return item.groupName === "scanner" });
+          for (let i=0; i<configItems.length; i++) {
+            let item = configItems[i];
+            switch (item.propertyName) {
+              case "snyk.enabled":
+                this.scannerEnabled = common.toBoolean(item.propertyValue); break;
+              case "snyk.api.token":
+                this.apitoken = item.propertyValue; break;
+              case "snyk.org.id":
+              this.orgId = item.propertyValue; break;
+              case "snyk.base.url":
+                this.baseUrl = item.propertyValue; break;
+              case "snyk.cvss.source":
+                this.cvssSourceSelected = item.propertyValue; break;
+              case "snyk.api.version":
+                this.apiVersion = item.propertyValue; break;
+            }
+          }
+        });
+      }
+    }
+  </script>
diff --git a/src/views/portfolio/vulnerabilities/Vulnerability.vue b/src/views/portfolio/vulnerabilities/Vulnerability.vue
@@ -174,6 +174,8 @@
             return "Sonatype OSS Index";
           case 'VULNDB':
             return "VulnDB (Risk Based Security)";
+          case 'SNYK':
+            return "Snyk";
           default:
             return "";
         }