Secure Elixir development with Snyk

We’re happy to announce support for Elixir, enabling development and security teams to easily find, prioritize and fix vulnerabilities in the Elixir and Erlang packages they are using to build their applications!

Using the Snyk CLI, Elixir developers can now test and monitor their Mix/Hex projects manually or at key steps of their CI process, ensuring that known vulnerabilities are caught early on and before code is deployed into production.

Support for Elixir is available — for free — across all Snyk plans!

Elixir security, 10 years in

Elixir, recently celebrating 10 years, is a functional, concurrent, general-purpose programming language that runs on the BEAM virtual machine used to implement the Erlang programming language. Productive development tooling and an extensible design have made Elixir the weapon of choice for many organizations, including Bleacher Report, Mozilla, PagerDuty, PepsiCo, and TheRealReal. Open source projects within this ecosystem are also thriving. Hex, the package manager for the Erlang ecosystem, Elixir included, now contains over 12,000 packages that are being downloaded millions of times a day.

As with any other language or ecosystem, these open source packages pose a security risk — some of the Elixir packages contain known security vulnerabilities which can be exploited by malicious actors. Approximately 78% of open source vulnerabilities are found in transitive dependencies, which means that the vast majority of vulnerabilities in your application originate from Elixir packages you did not even realize you were using!

The good news is that the number of known vulnerabilities in Elixir packages remains relatively low, especially when compared to other ecosystems such as Java, JavaScript, Python, .NET, and even Go, another relatively new language. Not only that, 90% of the existing Elixir vulnerabilities have a fix — a newer and more secure version of the package to upgrade to. The bad news is that there are some nasty vulnerabilities in older versions of some widely used Elixir packages.

But guess what? Using Snyk you’ll be able to surface these vulnerabilities early on and quickly apply a fix.

Testing and monitoring your Elixir application

The Snyk CLI allows you to find and fix known vulnerabilities in your dependencies, both manually and as part of your CI workflow, in a command-line environment.

If you’re new to the Snyk CLI, you’ll need to install it f

irst. There are various methods for installing the Snyk CLI. Here's how to use npm:

npm install -g snyk 

You then need to link the Snyk CLI to your Snyk account by authenticating:

snyk auth

A tab opens up in your browser, asking you to authenticate the CLI for use with your account.

Just hit Authenticate.

You’re now ready to test your Elixir application.

Change directory into the local folder containing your Elixir application, and then run:

snyk test

It is common practice in Elixir to use umbrella projects — sub-projects ("apps" in Elixir terminology), each with its own mix.exs file but all sharing a single mix.lock file. Snyk supports this project structure out of the box, so there is no need for additional CLI params, it just works. Each “app” is represented as a separate project in the Snyk CLI and UI, but grouped together.

Once a scan is executed, Snyk correlates the list of dependencies with the Snyk vulnerability database. All vulnerabilities identified are then listed, including their path, and remediation guidance.

As seen in the image above, I tested the Changelog project — an Elixir application built on the Phoenix framework, PostgreSQL, and a bunch of other open source projects. The project currently contains one high severity vulnerability in a package called sweet_xml allowing attackers to cause a denial of service via an XML entity expansion attack with an inline DTD. sweet_xml is an extremely popular package, downloaded thousands of times a day, and usually buried a few dependency layers deep within an application. Unfortunately, this package has no new version available with a fix.

To monitor your project on a regular basis and receive notifications when new vulnerabilities are introduced, use the following command:

snyk monitor

A snapshot of your current dependencies is taken so Snyk can check against it for newly disclosed vulnerabilities or when a previously unavailable patch or upgrade path is created. You can now log into the Snyk app to see the results of your scan on the Projects page:

In the case of the project tested this time, Snyk has identified a couple of vulnerabilities associated with plug — a popular package that has been downloaded millions of times — including some high severity vulnerabilities. 

To help you understand the vulnerability itself and how it crept into your application, the issue cards explain what the vulnerability actually means, how it was introduced, and what version to upgrade to. A priority score helps with prioritization.

On the Dependencies tab, you will see a full dependency tree explaining how exactly a vulnerability was introduced into your application.

As mentioned before, you can also use the Snyk CLI to run snyk test or snyk monitor as part of your CI pipeline. The Snyk Jenkins integration, for example, enables you to test and monitor your code for vulnerabilities on an ongoing basis, breaking builds when vulnerabilities are identified.

Develop fast. Stay secure!

The vast majority of the code used to build today’s applications is open source. Developers prefer to build with open source because of the speed, flexibility, extensibility, and quality it provides. But as explained above, this preference and growing reliance on open source introduces risk that must be managed and mitigated. 

With Snyk’s new support for Elixir, the Elixir ecosystem is now more secure.

So, how do I get started? Glad you asked! Check out our Snyk for Elixir documentation on additional usage instructions. Elixir support is available across all Snyk plans. If you’re already a Snyk user, all you have to do is install the Snyk CLI and follow the instructions above. If you’re not a Snyk user, sign up for free here!