TBD
snyk.io has free sign up with limited features. (no licensing validation. standard plan and up required)
Language support and integrations are pretty extensive. See Docs for more info.
Also, docker container vulnerability management is available on paid plans.
ONAP uses Sonatype Nexus IQ Server for security and licensing vulnerabilities checks, so to get started I just did a straight comparison on the DMaaP Data Router project.
SNYK.IO
snyk.io reports 2 high severity vulnerabilities:
✗ High severity vulnerability found in org.eclipse.jetty:jetty-client
Description: Authorization Bypass
Info: https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-32384
Introduced through: org.onap.dmaap.datarouter:datarouter-node@2.0.2-SNAPSHOT, org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT, org.onap.dmaap.datarouter:datarouter-subscriber@2.0.2-SNAPSHOT
From: org.onap.dmaap.datarouter:datarouter-node@2.0.2-SNAPSHOT > org.sonatype.http-testing-harness:junit-runner@0.11 > org.sonatype.http-testing-harness:server-provider@0.11 > org.eclipse.jetty:jetty-proxy@9.2.7.v20150116 > org.eclipse.jetty:jetty-client@9.2.7.v20150116
From: org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT > org.sonatype.http-testing-harness:junit-runner@0.11 > org.sonatype.http-testing-harness:server-provider@0.11 > org.eclipse.jetty:jetty-proxy@9.2.7.v20150116 > org.eclipse.jetty:jetty-client@9.2.7.v20150116
From: org.onap.dmaap.datarouter:datarouter-subscriber@2.0.2-SNAPSHOT > org.sonatype.http-testing-harness:junit-runner@0.11 > org.sonatype.http-testing-harness:server-provider@0.11 > org.eclipse.jetty:jetty-proxy@9.2.7.v20150116 > org.eclipse.jetty:jetty-client@9.2.7.v20150116
✗ High severity vulnerability found in com.h2database:h2
Description: Arbitrary Code Execution
Info: https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685
Introduced through: org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT
From: org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT > com.h2database:h2@1.4.197
Sonatype Nexus IQ
Sonatype Nexus IQ reports only 1 for the h2DB:
This may depend on how often the vulnerability DB is updated in each APP. |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335
CVE - CVE-2018-14335 |
To hook snyk.io into Jenkins CI seems pretty straight forward. Just set the SNYK_TOKEN for the account in use. This would prob be an org level TOKEN.
https://support.snyk.io/integrations/jenkins/jenkins-integration
TBD