Introduction

TBD

snyk.io

snyk.io has free sign up with limited features. (no licensing validation. standard plan and up required)


Language support and integrations are pretty extensive. See Docs for more info.

Also, docker container vulnerability management is available on paid plans.


snyk vs Sonatype Nexus IQ comparison

ONAP uses Sonatype Nexus IQ Server for security and licensing vulnerabilities checks, so to get started I just did a straight comparison on the DMaaP Data Router project.

SNYK.IO

snyk.io reports 2 high severity vulnerabilities:


✗ High severity vulnerability found in org.eclipse.jetty:jetty-client
  Description: Authorization Bypass
  Info: https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-32384
  Introduced through: org.onap.dmaap.datarouter:datarouter-node@2.0.2-SNAPSHOT, org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT, org.onap.dmaap.datarouter:datarouter-subscriber@2.0.2-SNAPSHOT
  From: org.onap.dmaap.datarouter:datarouter-node@2.0.2-SNAPSHOT > org.sonatype.http-testing-harness:junit-runner@0.11 > org.sonatype.http-testing-harness:server-provider@0.11 > org.eclipse.jetty:jetty-proxy@9.2.7.v20150116 > org.eclipse.jetty:jetty-client@9.2.7.v20150116
  From: org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT > org.sonatype.http-testing-harness:junit-runner@0.11 > org.sonatype.http-testing-harness:server-provider@0.11 > org.eclipse.jetty:jetty-proxy@9.2.7.v20150116 > org.eclipse.jetty:jetty-client@9.2.7.v20150116
  From: org.onap.dmaap.datarouter:datarouter-subscriber@2.0.2-SNAPSHOT > org.sonatype.http-testing-harness:junit-runner@0.11 > org.sonatype.http-testing-harness:server-provider@0.11 > org.eclipse.jetty:jetty-proxy@9.2.7.v20150116 > org.eclipse.jetty:jetty-client@9.2.7.v20150116

✗ High severity vulnerability found in com.h2database:h2
  Description: Arbitrary Code Execution
  Info: https://snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685
  Introduced through: org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT
  From: org.onap.dmaap.datarouter:datarouter-prov@2.0.2-SNAPSHOT > com.h2database:h2@1.4.197


Sonatype Nexus IQ

Sonatype Nexus IQ reports only 1 for the h2DB:

This may depend on how often the vulnerability DB is updated in each APP.


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335

CVE - CVE-2018-14335
cve.mitre.org
Common Vulnerabilities and Exposures (CVE®) is a list of entries — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. Assigned by CVE Numbering Authorities (CNAs) from around the world, use of CVE Entries ensures confidence among parties when used to discuss or share information about a unique ...


To hook snyk.io into Jenkins CI seems pretty straight forward. Just set the SNYK_TOKEN for the account in use. This would prob be an org level TOKEN.

https://support.snyk.io/integrations/jenkins/jenkins-integration


Scanning Artifacts Stored on Artifactory

TBD