Add snyk.io to pipeline?

[guypod]

A bit of a shameless plug, as I work on Snyk, but I believe it fits.
Snyk works off an open source vuln DB (https://github.com/Snyk/vulndb), and includes patches (typically reduced & back-ported versions of the original fix), that make remediation very actionable.

[guypod]

A couple of sample Snyk results on Groupon projects (though typically you'll run Snyk from the CLI):

https://snyk.io/test/github/groupon/nlm
https://snyk.io/test/github/groupon/report-card
https://snyk.io/test/github/groupon/DotCi

[10dot]

Definitely interested! Two questions:

• I don't see anything in the docs re: ouput formatting or in the command line help... does Snyk have an easy way to output JSON or XML? It's not a show stopper if not, it'll just make things easier.
• What differentiates Snyk from retire.js/nodesecurity, the remediation (which is very interesting, fwiw)?

[guypod]

Great!

Re json, you can specify a --json argument to 'snyk test' to get json output. Good point on it missing from the docs, we'll fix that.

Re difference, the main delta is remediation. That said, the tools operate a bit differently. There are a handful of issues in our DB that aren't in nodesecurity (our DB is at https://github.com/Snyk/vulndb), and we've encountered various packages where we reported issues while they did not.

[10dot]

It's on the list for pipeline now; I'll get it added probably next week and update codeburner as soon as the new gem is published.

Thanks for the submission!

[10dot]

I started working on this integration today, unfortunately I hit a snag.

I ran snyk against about a dozen different javascript apps, some of which have known vulns caught by nodesecurity or retire. I have yet to get snyk to report a single result, unfortunately. I even tried it against the snyk-demo-app I found reference to with no luck.

I'm running npm 3.3.3 and node 0.12.7 if it helps...

[guypod]

One thought: do you run Snyk.io after running npm install?

When you run snyk locally, it tests the set of packages actually deployed. The npm install logic is pretty complicated, especially when you factor in deduplication and shrinkwrap, so we determined its best to test what is actually deployed. I believe nsp doesn't work that way (making it mis-report or totally miss some issues).

Can you try running it after npm install and see if you're getting the issues as expected?

[10dot]

Aha, got it! That's the same logic as retirejs, so I totally get it/agree... you might want to add that as another notch in the documentation belt, though, since I didn't see it mentioned anywhere :)

I've got some decent data now, and I already added a hook to specify a custom npm-registry in pipeline for our retirejs support (which does an npm install --no-scripts before it runs in pipeline) so this should work fine.

Thanks for the quick reply!

[10dot]

FYI this is done, I'm just waiting to finish 1 more (big) feature for pipeline before I submit the PR/add it to codeburner proper.

FWIW the Markdown details actually look pretty nice in the codeburner interface after an html conversion ;)

[guypod]

Awesome - will test it out a bit later!

[10dot]

Fixed in pipeline: OWASP/glue#28

Once that's merged I'll update codeburner and Snyk support will be in.

[10dot]

This all finally made it in to today's release, Snyk is fully supported now.