Snyk Blog

Using the Snyk Vulnerability Database to find projects for The Big Fix

Written by:
DeveloperSteve Coochin
DeveloperSteve Coochin
wordpress-sync/blog-hero-the-big-fix

March 30, 2022

0 mins read

As developers, we all have our morning startup routine: make coffee, check Slack/Discord/email, read the latest news. One thing I do as part of my daily startup routine is check the Snyk Vulnerability Database for the latest open source vulnerabilities.

It's been especially interesting to see the types of exploits and vulnerabilities that appear in different ecosystems. I’ve been watching the emergence of vulnerabilities in Tensorflow libraries since May 2021, and at the time of this writing, they have appeared again (nearly two pages of them!). Vulnerabilities within ElectronJS, the ecosystem powering Slack, VS Code, Twitch, and many other popular apps have also surfaced multiple times in recent reports.

While the Snyk Vulnerability Database simplifies secure development day to day, it also helps make the internet more secure overall. Snyk’s month-long vulnerability sprint, The Big Fix, brought developers, DevOps, and security practitioners together to fix as many vulnerabilities as possible, culminating in the 24-hour Big Fix-A-Thon live stream. Many participants used the Snyk vulnerability database to find and fix malicious packages in a variety of open source projects.

The official event may be over, but The Big Fix community is active as ever. Today, I’ll show you how to  find a project with the open source vulnerability database, so you can help keep users safe and grab a limited edition #thebigfix t-shirt along the way.

Getting started with The Big Fix

The first step is to sign up for a free Snyk account. If you don’t already have one, head over to the getting started page and provide all the usual details (no credit card required). After that, go to The Big Fix website and click Register now. Finally, fill out your name and email address, and you’re ready to start.

Once you're signed up, the next step is finding a project. There are a few ways to do this.

Connect an existing repository

If you already have a project repository in mind, you can connect it quickly and easily. Go to your Snyk dashboard and click Add Project. If your repository of choice is not listed in the quick menu, click Other, which will take you to a comprehensive list of integration options.

Select your repository of choice and follow the steps to connect and configure.

wordpress-sync/blog-big-fix-vulndb-repositories

Once connected, click Add Project again and select the repository where you want to do an open source vulnerability scan. You can even scan private repositories.

wordpress-sync/blog-big-fix-vulndb-find-repo

When connected to Snyk, the scan will identify vulnerable packages in the connected package manifest. You can then select these packages to see recommended fixes and potential remediation steps. Snyk also offers the ability to create an automatic pull request with recommended fixes — just remember to test the application to verify that everything in the project is working as expected.

Find a project

If you’re looking for a project where you can help fix a vulnerability, you can use the Snyk Vulnerability Database to search for projects in your package or ecosystem of choice.

During The Big Fix, I contributed to Invoice Ninja, one of my favorites from the PHP open source ecosystem. This open source project helps businesses all over the world with invoicing and accounting, by connecting to a variety of third-party business tools.

First, I forked the main repository into my own account. Then, using the method above, I connected the repository to Snyk.

wordpress-sync/blog-big-fix-vulndb-repo-connect

The scan identified a few vulnerabilities in the PHP composer package manifest, one of which was being introduced via DOMPDF 0.6.2 as a dependency library.

wordpress-sync/blog-big-fix-vulndb-scan

Digging a bit further into some of the findings, I identified a few issues, including a cross-site scripting (XSS) vulnerable path in PHP-Font-Lib — a vulnerability from 2014. Tracing it back through the project helped identify not only the issue itself, but also the necessary fix.

When deploying fixes, you need to keep a few things in mind. Foremost is making sure the overall project still works. This is especially important with library and dependency upgrades. Many people rely on these projects for their day-to-day business, and deploying a breaking change is not something any project wants to see.

I pulled the forked repo into my localhost using a Git pull request and launched VS Code. With the Snyk plugin installed, I was able to upgrade the affected packages and debug. Then, I ran the code for testing on my localhost using a localhost server (this can also be done using PHP’s built-in server).

Finally committing back to my forked repository, I submitted a Git pull request, which was verified by the community before being merged.

The elation of completing contributions

I love giving back, especially when I can help keep another community safe and vulnerability-free. As members of the open source community, it’s important to contribute and help protect all open source users. So, let's all work together to make the digital world a safer place.

Posted in:Open Source Security, Application Security
wordpress-sync/blog-hero-the-big-fix

Guide to Choosing a SAST Solution

See the process for assessing, selecting, and implementing a modern SAST solution based on a four phase process and find the best fit for your specific security needs.

See the guide

Get started for free

No credit card required.

Start free with Google

Or Sign up with

SSOBitbucketAzure ADDocker ID

By logging in or signing up, you agree to abide by our policies, including our Terms of Service and Privacy Policy

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon