Detect Security Vulnerabilities with Snyk – 使用 Snyk 检测安全漏洞

最后修改: 2023年 9月 5日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In the rapidly changing realm of software development, the assurance of robust security is an important yet often tricky task. As modern applications rely heavily on open-source libraries and dependencies, the vulnerabilities lurking within these components can pose a serious threat.

在瞬息万变的软件开发领域,确保稳健的安全性是一项重要但往往棘手的任务。由于现代应用程序在很大程度上依赖于开源库和依赖关系,这些组件中潜伏的漏洞可能会构成严重威胁。

This is where Snyk comes into play, giving developers tools to detect potentially vulnerable code or dependencies automatically. In this article, we’ll explore its features and how they can be used in the context of a Java project.

这就是 Snyk 发挥作用的地方,它为开发人员提供了自动检测潜在漏洞代码或依赖关系的工具。在本文中,我们将探讨其功能以及如何在 Java 项目中使用这些功能。

2. What Is Snyk?

2.什么是斯奈克? .

Snyk is a cloud-native security platform that focuses on identifying and mitigating vulnerabilities in open-source software components and containers. Before we dive into using specific features, let’s look at the main usages that will be the focus of this article.

Snyk 是一个云原生安全平台,专注于识别和缓解开源软件组件和容器中的漏洞。在深入了解具体功能的使用之前,让我们先来看看本文将重点介绍的主要用途。

2.1. Snyk Open Source

2.1.Snyk 开放源代码

Snyk Open Source scans our project’s dependencies by analyzing the libraries and packages that our application relies on. It checks these dependencies against a comprehensive database of known vulnerabilities. Snyk Open Source not only points out vulnerabilities but also offers actionable remediation guidance. It suggests possible solutions to address the vulnerabilities, such as upgrading to a secure version or applying patches.

Snyk Open Source 通过分析应用程序所依赖的库和软件包来扫描我们项目的依赖项。它会根据已知漏洞的综合数据库检查这些依赖关系。Snyk Open Source 不仅会指出漏洞,还会提供可行的修复指导。它提出了解决漏洞的可行方案,例如升级到安全版本或应用补丁。

2.2. Snyk Code

2.2 Snyk 代码

Snyk Code employs static code analysis techniques to review source code and identify security vulnerabilities and other issues. It reviews the code without executing it to find potential problems by analyzing the structure, logic, and patterns in the codebase. This includes vulnerabilities originating from known security databases, as well as code quality issues such as code smells, potential logical errors, and misconfigurations.

Snyk Code 采用静态代码分析技术来审查源代码并识别安全漏洞和其他问题。它在不执行代码的情况下审查代码,通过分析代码库中的结构、逻辑和模式来发现潜在问题。这包括源于已知安全数据库的漏洞,以及代码质量问题,如代码气味、潜在逻辑错误和配置错误。

2.3. Integration

2.3.一体化

We can integrate Snyk into a project by using the Snyk CLI on demand or by connecting it to a version control system (such as Git). This integration allows Snyk to access our codebase and perform automated scans whenever code changes are made. Alternatively, we can use a plugin for our build system (such as Gradle) to execute scans as a part of our build process.

我们可以按需使用 Snyk CLI 或将其连接到版本控制系统(如 Git),从而将 Snyk 集成到项目中。这种集成允许 Snyk 访问我们的代码库,并在代码发生变化时执行自动扫描。另外,我们还可以使用构建系统的插件(如 Gradle)来执行扫描,作为构建流程的一部分。

3. Setup

3.设置

Before we dive into making our projects more secure, we need to execute a few steps to set up Snyk CLI and its connection to Snyk services.

在深入研究如何使我们的项目更安全之前,我们需要执行几个步骤来设置 Snyk CLI 及其与 Snyk 服务的连接。

3.1. Creating Account

3.1.创建账户

Snyk is a cloud-native solution. We’ll need an account to use it. At the time of writing this article, a basic Snyk account, sufficient for testing and small projects, is free.

Snyk 是一个云原生解决方案。我们需要一个账户来使用它。在撰写本文时,一个基本的 Snyk 账户是免费的,足以用于测试和小型项目。

3.2. Installing the CLI

3.2.安装 CLI

Snyk offers a Command-Line Interface (CLI) that allows us to interact with Snyk services from a terminal. Once we install the CLI app, it will only do the job of connecting to the Snyk server, and all the hard work will happen in the cloud.

Snyk 提供了一个命令行界面 (CLI),允许我们从终端与 Snyk 服务交互。一旦我们安装了 CLI 应用程序,它将只完成连接到 Snyk 服务器的工作,所有繁重的工作都将在云中完成。

We can install the CLI globally using Node Package Manager (npm):

我们可以使用 Node 包管理器 (npm) 在全局范围内安装 CLI:

$ npm install -g snyk

We can also use other installation methods described in the Snyk manual.

我们还可以使用 Snyk 手册中描述的其他安装方法

3.3. Authenticating

3.3.验证

Finally, we need to authenticate so that the CLI knows to which account it should connect:

最后,我们需要进行身份验证,以便 CLI 知道应该连接到哪个账户:

$ snyk auth

4. Using CLI to Test for Vulnerabilities

4.使用 CLI 测试漏洞

Snyk CLI is a tool provided by Snyk that allows us to easily connect to the Snyk services and execute scans from the command line. Let’s look at two of Snyk’s fundamental features: dependency scan and code scan.

Snyk CLI 是 Snyk 提供的一种工具,可让我们轻松连接到 Snyk 服务,并通过命令行执行扫描。让我们来看看 Snyk 的两个基本功能:依赖性扫描和代码扫描。

4.1. Dependency Scan

4.1.依赖性扫描

To run a dependency scan on our project using the Snyk CLI, we can simply type:

要使用 Snyk CLI 对我们的项目运行依赖关系扫描,我们只需键入

$ snyk test

This command will analyze your project’s dependencies and identify any problems. Snyk will provide a detailed report showing the vulnerabilities, their severity levels, and the affected packages:

该命令将分析项目的依赖关系并找出任何问题。Snyk 将提供一份详细报告,显示漏洞、其严重程度以及受影响的软件包:

[...]
Package manager:   gradle
Target file:       build.gradle
Project name:      snyktest
Open source:       no
Project path:      [...]
Licenses:          enabled

✔ Tested 7 dependencies for known issues, no vulnerable paths found.

4.2. Code Scan

4.2.代码扫描

We can also enable static code analysis in the settings on the Snyk page and run a scan of vulnerabilities inside our own code:

我们还可以在 Snyk 页面的设置中启用静态代码分析,并对自己代码中的漏洞进行扫描

$ snyk code test
[...]

✔ Test completed

Organization:      [...]
Test type:         Static code analysis
Project path:      [...]

Summary:

✔ Awesome! No issues were found.

5. Using Gradle Integration

5.使用 Gradle 集成

Instead of using Snyk CLI, we can use the Gradle plugin and run Snyk tests automatically during the build process. First, we need to add the plugin to the build.gradle file:

我们可以使用 Gradle 插件来代替 Snyk CLI,并在构建过程中自动运行 Snyk 测试。首先,我们需要将该插件添加到 build.gradle 文件中:

plugins {
    id "io.snyk.gradle.plugin.snykplugin" version "0.5"
}

Then, we can optionally provide some configuration:

然后,我们可以选择提供一些 配置

snyk {
    arguments = '--all-sub-projects'
    severity = 'low'
    api = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
}

However, defaults should be good enough in most cases. Also, we don’t need to provide an API key if we authenticated using CLI before. Finally, to run the tests, we can simply type:

不过,在大多数情况下,默认值就足够了。此外,如果我们之前使用 CLI 进行过验证,就不需要提供 API 密钥。最后,要运行测试,我们只需键入

$ ./gradlew snyk-test

We can also configure Gradle to run Snyk tests with every build:

我们还可以配置 Gradle 在每次构建时运行 Snyk 测试:

tasks.named('build') {
    dependsOn tasks.named('snyk-test')
}

Mind that the free version of Snyk has a limited number of tests we can run monthly, so running tests with every build can be wasteful.

请注意,免费版 Snyk 每月可运行的测试数量有限,因此每次构建都运行测试可能会造成浪费。

6. Conclusion

6.结论

Snyk Code is a valuable tool for developers and organizations aiming to improve their application security by identifying vulnerabilities and code quality issues early in the development lifecycle. In this article, we learned how to use Snyk Open Source and Code features to scan our projects for possible security issues. Additionally, we looked into how to integrate Snyk into the Gradle build system.

Snyk Code 是一种宝贵的工具,可帮助开发人员和组织在开发生命周期的早期识别漏洞和代码质量问题,从而提高应用程序的安全性。在本文中,我们学习了如何使用 Snyk 开源和代码功能来扫描我们的项目,以发现可能存在的安全问题。此外,我们还了解了如何将 Snyk 集成到 Gradle 构建系统中。