Announcing Snyk for .NET, Go and PHP

Aner Mazur's avatar Aner Mazur

The holiday season is around the corner, and we thought, why not give a modest gift of our own to Snyk’s growing community?

Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we’re taking another leap forward and launching CLI support for .NET, Go and PHP!

The CLI gives you the flexibility to test your applications manually or at key steps in your CI process. It looks through your dependency tree to identify each dependency in use and its version, before testing them all. Source code management integrations will follow soon.

So, take a few minutes (it won’t take more), and secure your apps.

Quick Start

First, install or upgrade Snyk to the latest version and authenticate:

1
2
npm install -g snyk
snyk auth

Snyk looks at the locally installed modules to resolve all dependencies, so you’d need to validate they’re already available.

For .NET, check to make sure that packages/(.NET) or obj/(.NET Core) folder has been populated via Visual Studio or dotnet restore

For Golang, check to make sure that vendor/ was populated via dep ensure or govendor sync. In addition, the GOPATH environment variable must be set correctly

For PHP, check to make sure that composer.lock file has been created by composer install

Then, browse to your project’s folder and test for vulnerabilities:

1
snyk test 

That would result in displaying all detected vulnerabilities, for example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ ✗ snyk test 
✗ Medium severity vulnerability found on Microsoft.AspNetCore.All@2.0.0
- desc: Open Redirect
- info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCOREALL-600122
- from: dotnetcore@1.0.0 > Microsoft.AspNetCore.All@2.0.0


✗ Medium severity vulnerability found on Microsoft.AspNetCore.Server.HttpSys@2.0.0
- desc: Denial of Service (DoS)
- info:              https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORESERVERHTTPSYS-600125
- from: dotnetcore@1.0.0 > Microsoft.AspNetCore.All@2.0.0 > Microsoft.AspNetCore.Server.HttpSys@2.0.0

✗ High severity vulnerability found on System.Net.Http@4.3.0
- desc: Privilege Escalation
- info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047
- from: dotnetcore@1.0.0 > System.Net.Http@4.3.0

To track a project for newly disclosed vulnerabilities through the Snyk UI, use the monitor command. You can use both snyk test and snyk monitor in your CI environments to bake security into your deployment pipeline.

1
snyk monitor

Screenshot of a vulnerable PHP project in the Snyk dashboard

Securing Go

The Go ecosystem has a surprisingly large number of package managers but is starting to settle around the “official experiment” package manager dep, with an increasing number of projects adopting it. Still, a noticeable percentage of customers who volunteered to participate in our Go alpha requested support also for govendor. So, the Snyk CLI supports both mentioned package managers.

The Snyk CLI will examine all your imports—direct and transient—matching them with the locked versions saved in your Gopkg.lock or vendor/vendor.json.

Stay tuned for a few follow-up posts dedicated for Golang, sharing what we learned about the Go packages ecosystem and the various challenges we faced during the development of the Go support in Snyk.

Securing .NET

We scan .NET and .NET Core projects, examining NuGet dependencies for known vulnerabilities. We process packages.config files for .NET projects, and obj/project.assets.json files for .NET Core projects.

We also support .sln files to automate your open source security across all projects in a solution.

Interestingly, as we were developing our .NET support, we were surprised to discover the high importance of scanning .NET for open source vulnerabilities, as the default .NET Core v2 application depends on Microsoft.AspNetCore.All/2.0.0 which introduces over 10 vulnerabilities! So check your projects today.

Securing PHP

Snyk supports testing and monitoring PHP projects that have their dependencies managed by composer. We scan PHP projects by examining your composer.lock file to compare the specific versions of every direct and deep dependency in your project against our Composer vulnerability database.

Try it out!

We’ve been working hard on this launch, gathering feedback from our alpha users and making refinements along the way. We’re thrilled to now open the CLI up to everyone.

As always, Snyk is free for open-source use—no matter how many open-source projects you have. Open-source is a huge boon for development, and we’re happy to play our part in making it as secure as possible.

If you have any feedback, please let us know. We’re always eager to make Snyk even better. Likewise, if there are any languages or package managers that you would like Snyk to support, let us know which ones. Not only does it help us prioritize, but we love being able to give early access to developers eager to test and provide feedback.

Using the Snyk API to get your vulnerabilities

January 03, 2018

The Snyk API gives you access to all the issues associated with a given project. In this post, you'll learn how to use the API to fetch the organisations you have access to, the projects for a given organisation, and all the issues for a given project.

Staying Secure on Heroku with the Snyk Add-On

December 12, 2017

The Snyk Heroku Addon is now out of beta, providing deep integration with your Heroku workflow. In this post, we'll walk through how to get started using the new add-on to keep your Heroku applications free of known vulnerable dependecies.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications