Ecosystems

Interested in ecosystem-specific posts? We’ve got your back! Read through our posts and learn how security impacts your environment.

81% believe developers should own security, but they aren’t well-equipped

A worrying 27% of respondents stated they do not have any proactive or automatic way to find out about newly discovered vulnerabilities in their applications. 37% of users of users don’t implement any sort of security testing during CI.

February 26, 2019

Top ten most popular docker images each contain at least 30 vulnerabilities

we found that 44% of docker image scans had known vulnerabilities, and for which there were newer and more secure base image available. Most vulnerabilities originate in the base image you selected. For that reason, remediation should focus on base image fixes.

February 26, 2019

ReDoS vulnerabilities in npm spikes by 143% and XSS continues to grow

Regex for for a single-threaded runtime could be devastating. We’ve also detected that the npm ecosystem has seen the most XSS vulnerabilities, Maven Central and PyPI follow next.

February 26, 2019

78% of vulnerabilities are found in indirect dependencies, making remediation complex

Only one in three developers can address a high or critical-severity vulnerability in a day or less. The more we use open source software, the more risk we accumulate as we’re including someone else’s code that could potentially contain vulnerabilities now or in the future.

February 26, 2019

88% increase in application library vulnerabilities over two years

A good number of security vulnerabilities are discovered and fixed in non-official channels. We measured Snyk DB to uncover 67% more vulnerabilities than public databases. In 2018, new disclosures for npm grew by 47%, and Maven Central grew by 27%

February 26, 2019

Open source maintainers want to be secure, but 70% lack skills

Maintainers stated their security knowledge is improving but not high enough, averaging 6.6/10, and 1 in 4 open source maintainers do not audit their code bases.

February 26, 2019

Snyk CLI drops support for Node.js 4 (Argon)

On 30th of April, 2018, Node.js 4 was officially marked as End of Life (EOL) and ceased to receive security updates. At Snyk, we have been committed to continued support for Node.js 4 in our CLI tool, but the time has finally come to wave goodbye. Today we are announcing the deprecation of Node.js 4 […]

January 24, 2019

Finding open source vulnerabilities within the Bitbucket workflow

Snyk was happy to implement code insights, a new functionality by Bitbucket, to allow Bitbucket Server users to view detailed results of Snyk’s vulnerability scan, all within Bitbucket itself.

January 22, 2019

Snyk’s vulnerability database is no longer powering JFrog’s Xray

Starting from January 2019, Snyk’s vulnerability database will no longer be integrated into the Xray platform. Snyk vulnerabilities observed through scans done prior to January 2019 or databases not updated since then will remain visible in Xray dashboard. New scans following January 2019 will not include any Snyk vulnerabilities.

January 3, 2019

JVM Ecosystem Report 2018

Welcome to the largest survey ever of Java developers. The data presented in the following report was taken from more than 10,200 questionnaires, covering JDK vendors, versions, IDEs, build tools, CI servers, Java EE versions, web frameworks, JVM languages, binary repositories, source code repositories, source code management and much more!

October 17, 2018

JVM Ecosystem report 2018 – About your Tools

Welcome to the largest survey ever of Java developers. The data presented in the following report was taken from more than 10,200 questionnaires, covering JDK vendors, versions, IDEs, build tools, CI servers, Java EE versions, web frameworks, JVM languages, binary repositories, source code repositories, source code management and much more!

October 17, 2018