Friday, 20 August 2021

Taking Snyk Code for Test Drive

Snyk Code is our newest addition to the Snyk platform. Snyk Code uses a revolutionary approach designed to be developer-first. Conventional Static Application Security Testing (SAST) tools are limited by lengthy scans times and poor accuracy, returning too many false positives, and eroding developer trust. Snyk Code makes developer efforts efficient and actionable.

In this short blog post let's take it for a test drive on a large Java Project.

Steps

1. You will need an account on Snyk App sign up for free at snyk.io

2. Once you have an account and are logged in go ahead and enable "Snyk Code" as follows


3. Clone the following GitHub repo as follows.

https://github.com/papicella/CWE-Juliet-TestSuite-Java

$ git clone https://github.com/papicella/CWE-Juliet-TestSuite-Java
Cloning into 'CWE-Juliet-TestSuite-Java'...
remote: Enumerating objects: 12964, done.
remote: Counting objects: 100% (12964/12964), done.
remote: Compressing objects: 100% (969/969), done.
remote: Total 12964 (delta 11931), reused 12964 (delta 11931), pack-reused 0
Receiving objects: 100% (12964/12964), 6.44 MiB | 6.04 MiB/s, done.
Resolving deltas: 100% (11931/11931), done.
Updating files: 100% (13095/13095), done.

4. Authenticate with "Snyk CLI" as shown below

Note: The following link will get the CLI installed for you

https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI

$ snyk auth

5. Let's check the number of lines of code we scanning as follows. Here we are making sure we only scan Java Source files as that's all that exists in this repo in any case. Snyk Code supports other programming languages as well like Python, JavaScript etc.

$ cd CWE-Juliet-TestSuite-Java
$ find ./Java/src -name "*.java" -type f -exec wc -l {} \; | awk '{total += $1} END{print total}'
2,479,301

So we have close 2.5 million lines of code here of course that counts lines of empty space such as carriage returns BUT still that's lots of code to scan.

6. Run your "Snyk Code" Test as follows to see two things , how long the scan took and the number of results returned. From this we can see the scan and results took less then 2 minutes!

$ time snyk code test ./Java/src

....

 ✗ [High] SQL Injection
     Path: testcases/CWE89_SQL_Injection/s02/CWE89_SQL_Injection__getCookies_Servlet_execute_41.java, line 42
     Info: Unsanitized input from cookies flows into execute, where it is used in an SQL query. This may result in an SQL Injection vulnerability.

 ✗ [High] SQL Injection
     Path: testcases/CWE89_SQL_Injection/s02/CWE89_SQL_Injection__getCookies_Servlet_execute_14.java, line 62
     Info: Unsanitized input from cookies flows into execute, where it is used in an SQL query. This may result in an SQL Injection vulnerability.

 ✗ [High] SQL Injection
     Path: testcases/CWE89_SQL_Injection/s02/CWE89_SQL_Injection__getCookies_Servlet_execute_10.java, line 62
     Info: Unsanitized input from cookies flows into execute, where it is used in an SQL query. This may result in an SQL Injection vulnerability.


✔ Test completed

Organization:      undefined
Test type:         Static code analysis
Project path:      ./Java/src

3086 Code issues found
1491 [High]  1595 [Medium]


real 1m4.269s
user 0m45.630s
sys 0m7.182s

The following post shows some comparison data against other SAST engines and code repositories.

https://snyk.io/blog/sast-tools-speed-comparison-snyk-code-sonarqube-lgtm/

More Information

Snyk Code

Snyk Code is now available for free

No comments:

Post a Comment