We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityEcosystemsOpen Source

Snyk Open Source adds C/C++ security scanning for unmanaged dependencies

Michal BrutvanApril 5, 2022

We’re happy to announce the general availability of C/C++ security scanning in Snyk Open Source, enabling development and security teams to find and fix known security vulnerabilities in their C/C++ open source library dependencies.


No manifests

The C and C++ ecosystem is challenging and complicated to navigate with many open source projects, repositories, and package managers to oversee.  This release is our first step on the journey to supporting unmanaged code scans.

Unlike other solutions, the Snyk CLI does not need a manifest to resolve the dependencies. It converts files into digital signatures, or hashes, which are then correlated with Snyk’s databases to form a list of matching open source components. This list  is then used to query our Snyk Vulnerability Database for vulnerabilities.

Developer first

Snyk’s developer security platform is unique in the industry as the only developer-first solution that enables the entire modern application to be built quickly and securely in a DevOps environment. Snyk Open Source is set apart from similar tools because it understands the context and the structure of C and C++ projects. This leads to fewer false positives and less time spent correcting the identifications manually.

Curated database

Our  team of security and open source experts continuously improve our vulnerability database for open source C and C++ projects, while also mapping project forks and mirrors to give the Snyk CLI  more context. When a vulnerability is detected, Snyk provides recommended fixes, such as what package version you should update to to resolve the vulnerability. 

How it works

This release adds a new, --unmanaged command-line option which tells the CLI to scan for dependencies in source code without needing manifests. 

To scan code for C/C++ open source dependencies, simply run snyk test --unmanaged. To import the snapshot of dependencies and issues into the Snyk dashboard, run snyk monitor --unmanaged.

Setting up the Snyk CLI

First, make sure you’ve installed the Snyk CLI and are using version 1.885.0 and above.

Setting up the Snyk CLI is simple. You can use npm or Homebrew to quickly install it, then all that’s required is to authenticate with your Snyk account (if you haven’t already, sign up for free).

$ npm install -g snyk
$ snyk auth

Your browser will open up with a request to authenticate the CLI. Go ahead and authenticate!

You’re now ready to start working with the Snyk CLI to scan your C/C++ projects for vulnerabilities.

Scanning for security vulnerabilities

Let’s give the Snyk CLI a try by running a test.

To scan a project, the open source libraries must be located within the directory being scanned. Within that directory, run the following CLI command:

$ snyk test --unmanaged

Depending on the number of files in your project, the scanning process can take seconds to a few minutes. As soon as the scan is completed, you will be presented with a list of identified vulnerabilities: 

Issues:

 ✗ [Critical] Double Free
    Introduced through: <https://curl.se|curl@7.58.0>
    URL: <https://security.snyk.io/vuln/SNYK-UNMANAGED-CURL-2317564>

 ✗ [Critical] Out-of-bounds Read
    Introduced through: <https://curl.se|curl@7.58.0>
    URL: <https://security.snyk.io/vuln/SNYK-UNMANAGED-CURL-2317585>

Tested 3 dependencies for known issues, found 29 issues.

Monitoring for new vulnerabilities

The snyk monitor --unmanaged command will create a snapshot of dependencies and vulnerabilities and upload them to Snyk app. Snyk will then monitor the dependencies and alert you when new vulnerabilities are added in our Vulnerability Database.

As our database of open source projects is updated and improved, new dependencies may be discovered. Make sure you run the snyk monitor --unmanaged command regularly to update the list of dependencies to be monitored.

Read the C/C++ documentation to get more details on how to set up and scan your C and C++ projects.

Coming soon

Your feedback is always important to us. We will be improving the CLI functionality to add support for Snyk CI plugins and IDEs, and are also updating the APIs to directly search C/C++ packages for vulnerabilities and integrate testing with Conan and other package managers. Our Snyk Code team also plans to add support for C and C++ projects in the future. To share other ideas and feedback with us, please reach out to ccpp@snyk.io. 

Sign up for Snyk and try it for free today! 

Secure your C/C++ dependencies with Snyk

Find and fix known security vulnerabilities in your C/C++ open source code and library dependencies.

Sign up for free

Join us at ‘How to use the CLI for C/C++’

Michal Brutvan (Senior Product Manager, Snyk) and Jason Lane (Product Marketing Director, Snyk) will discuss what this feature means for you, as well as open the floor for feedback and questions in this 30-minute Office Hours panel on April 21st. Save your spot!

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom