Snyk CLIを使用してみる

$ git clone https://github.com/snyk-labs/nodejs-goof
$ git clone https://github.com/snyk-labs/infrastructure-as-code-goof

$ snyk test --severity-threshold=critical

Testing ~/snyk_goof/nodejs-goof...

Tested 564 dependencies for known issues, found 2 issues, 3 vulnerable paths.


Issues to fix by upgrading:

  Upgrade adm-zip@0.4.7 to adm-zip@0.4.11 to fix
  ✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Critical Severity]
Snyk Vulnerability Database | Snyk
Critical severity (9.4) Arbitrary File Write via Archive Extraction (Zip Slip) in adm-zip | CVE-2018-1002204
security.snyk.io in adm-zip@0.4.7
    introduced by adm-zip@0.4.7

  Upgrade hbs@4.0.4 to hbs@4.1.0 to fix
  ✗ Prototype Pollution [Critical Severity]
Snyk Vulnerability Database | Snyk
Critical severity (9.8) Prototype Pollution in handlebars
security.snyk.io in handlebars@4.0.14
    introduced by hbs@4.0.4 > handlebars@4.0.14 and 1 other path(s)



Organization:      masawai
Package manager:   npm
Target file:       package-lock.json
Project name:      goof
Open source:       no
Project path:      ~/snyk_goof/nodejs-goof
Licenses:          enabled

$ snyk code test --severity-threshold=high

Testing ~/snyk_goof/nodejs-goof ...

 ✗ [High] NoSQL Injection
   Path: routes/index.js, line 39
   Info: Unsanitized input from the HTTP request body flows into find, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.

 ✗ [High] NoSQL Injection
   Path: routes/index.js, line 191
   Info: Unsanitized input from an HTTP parameter flows into findById, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.

 ✗ [High] NoSQL Injection
   Path: routes/index.js, line 219
   Info: Unsanitized input from an HTTP parameter flows into findById, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.

 ✗ [High] Hardcoded Secret
   Path: app.js, line 42
   Info: Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in express-session.

 ✗ [High] Hardcoded Secret
   Path: app.js, line 83
   Info: Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.


✔ Test completed

Organization:      8edf5cac-ca5a-41b4-a80a-4eda2b73940f
Test type:         Static code analysis
Project path:      ~/snyk_goof/nodejs-goof

Summary:

  5 Code issues found
  5 [High]

$ docker build -t docker-goof .
$ snyk container test docker-goof --file=Dockerfile --severity-threshold=critical

Testing docker-goof...

(省略)

Organization:      masawai
Package manager:   deb
Target file:       Dockerfile
Project name:      docker-image|docker-goof
Docker image:      docker-goof
Platform:          linux/arm64
Base image:        node:18.13.0
Licenses:          enabled

Tested 409 dependencies for known issues, found 9 issues.

Base Image    Vulnerabilities  Severity
node:18.13.0  395              9 critical, 32 high, 107 medium, 247 low

Recommendations for base image upgrade:

Minor upgrades
Base Image  Vulnerabilities  Severity
node:18.17  145              0 critical, 1 high, 0 medium, 144 low

Major upgrades
Base Image  Vulnerabilities  Severity
node:20.5   145              0 critical, 1 high, 0 medium, 144 low

Alternative image types
Base Image               Vulnerabilities  Severity
node:20.4-bookworm-slim  28               0 critical, 0 high, 0 medium, 28 low
node:20.3.1-slim         28               0 critical, 0 high, 0 medium, 28 low
node:20.4-bullseye-slim  51               0 critical, 0 high, 0 medium, 51 low
node:20.3.1-bookworm     147              0 critical, 2 high, 0 medium, 145 low

(省略)

-------------------------------------------------------

Testing docker-goof...

Tested 551 dependencies for known issues, found 2 issues.

(省略)

Organization:      masawai
Package manager:   npm
Target file:       /usr/src/goof/package.json
Project name:      goof
Docker image:      docker-goof
Licenses:          enabled

(省略)

-------------------------------------------------------

Testing docker-goof...

Organization:      masawai
Package manager:   gomodules
Target file:       /usr/src/goof/node_modules/snyk/wrapper_dist/snyk-linux-arm64
Project name:      go-distribution@command-line-arguments
Docker image:      docker-goof
Licenses:          enabled

✔ Tested 550 dependencies for known issues, no vulnerable paths found.


Tested 3 projects, 2 contained vulnerable paths.

$ snyk iac test terraform/s3/ --severity-threshold=high

Snyk Infrastructure as Code

✔ Test completed.

Issues

High Severity Issues: 34

(省略)

  [High] S3 Bucket is publicly readable and writable
  Info:    That this S3 bucket is publicly writeable without any authentication
           or authorization. . That you may be leaking sensitive information to
           members of the public and this data could be modified without your
           knowledge.
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-TF-19
  Path:    input > resource > aws_s3_bucket[writable] > acl
  File:    s3_cis.tf
  Resolve: Set the `acl` attribute to `private`, or remove the attribute

-------------------------------------------------------

Test Summary

  Organization: masawai
  Project name: snyk-labs/infrastructure-as-code-goof

✔ Files without issues: 7
✗ Files with issues: 9
  Ignored issues: 0
  Total issues: 34 [ 0 critical, 34 high, 0 medium, 0 low ]

-------------------------------------------------------