Snyk Open Source adds C/C++ security scanning for unmanaged dependencies

We’re happy to announce the general availability of C/C++ security scanning in Snyk Open Source, enabling development and security teams to find and fix known security vulnerabilities in their C/C++ open source library dependencies.

No manifests

The C and C++ ecosystem is challenging and complicated to navigate with many open source projects, repositories, and package managers to oversee.  This release is our first step on the journey to supporting unmanaged code scans.

Unlike other solutions, the Snyk CLI does not need a manifest to resolve the dependencies. It converts files into digital signatures, or hashes, which are then correlated with Snyk’s databases to form a list of matching open source components. This list  is then used to query our Snyk Vulnerability Database for vulnerabilities.

Developer first

Snyk’s developer security platform is unique in the industry as the only developer-first solution that enables the entire modern application to be built quickly and securely in a DevOps environment. Snyk Open Source is set apart from similar tools because it understands the context and the structure of C and C++ projects. This leads to fewer false positives and less time spent correcting the identifications manually.

Curated database

Our  team of security and open source experts continuously improve our vulnerability database for open source C and C++ projects, while also mapping project forks and mirrors to give the Snyk CLI  more context. When a vulnerability is detected, Snyk provides recommended fixes, such as what package version you should update to to resolve the vulnerability. 

How it works

This release adds a new, --unmanaged command-line option which tells the CLI to scan for dependencies in source code without needing manifests. 

To scan code for C/C++ open source dependencies, simply run snyk test --unmanaged. To import the snapshot of dependencies and issues into the Snyk dashboard, run snyk monitor --unmanaged.

Setting up the Snyk CLI

First, make sure you’ve installed the Snyk CLI and are using version 1.885.0 and above.

Setting up the Snyk CLI is simple. You can use npm or Homebrew to quickly install it, then all that’s required is to authenticate with your Snyk account (if you haven’t already, sign up for free).

$ npm install -g snyk
$ snyk auth

Your browser will open up with a request to authenticate the CLI. Go ahead and authenticate!

You’re now ready to start working with the Snyk CLI to scan your C/C++ projects for vulnerabilities.

Scanning for security vulnerabilities

Let’s give the Snyk CLI a try by running a test.

To scan a project, the open source libraries must be located within the directory being scanned. Within that directory, run the following CLI command:

$ snyk test --unmanaged

Depending on the number of files in your project, the scanning process can take seconds to a few minutes. As soon as the scan is completed, you will be presented with a list of identified vulnerabilities: 

Issues:

 ✗ [Critical] Double Free
    Introduced through: <https://curl.se|curl@7.58.0>
    URL: <https://security.snyk.io/vuln/SNYK-UNMANAGED-CURL-2317564>

 ✗ [Critical] Out-of-bounds Read
    Introduced through: <https://curl.se|curl@7.58.0>
    URL: <https://security.snyk.io/vuln/SNYK-UNMANAGED-CURL-2317585>

Tested 3 dependencies for known issues, found 29 issues.

Monitoring for new vulnerabilities

The snyk monitor --unmanaged command will create a snapshot of dependencies and vulnerabilities and upload them to Snyk app. Snyk will then monitor the dependencies and alert you when new vulnerabilities are added in our Vulnerability Database.

As our database of open source projects is updated and improved, new dependencies may be discovered. Make sure you run the snyk monitor --unmanaged command regularly to update the list of dependencies to be monitored.

Read the C/C++ documentation to get more details on how to set up and scan your C and C++ projects.

Coming soon

Your feedback is always important to us. We will be improving the CLI functionality to add support for Snyk CI plugins and IDEs, and are also updating the APIs to directly search C/C++ packages for vulnerabilities and integrate testing with Conan and other package managers. Our Snyk Code team also plans to add support for C and C++ projects in the future. To share other ideas and feedback with us, please reach out to ccpp@snyk.io. 

Sign up for Snyk and try it for free today! 

Join us at ‘How to use the CLI for C/C++’

Michal Brutvan (Senior Product Manager, Snyk) and Jason Lane (Product Marketing Director, Snyk) will discuss what this feature means for you, as well as open the floor for feedback and questions in this 30-minute Office Hours panel on April 21st. Save your spot!