Skip to content

billytronics/snyk-sast-sca-cicd-workshop

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 

Repository files navigation

Snyk Code, Snyk Open Source and CI/CD Workshop

A hands-on session to see how you can implement Snyk Code and Snyk Open Source early, to easily find and fix both security issues in their own proprietary code as well as known vulnerabilities in their open source dependencies, reducing risk and accelerate the software development.

Prerequisites

Tasks

In this hands-on workshop we will achieve the following:

Snyk Code steps

Snyk Open Source steps

Set up GitHub Actions to run Snyk Code and Snyk Open Source

Workshop Steps

NOTE: It is assumed your using a mac for these steps, but it should also work on Windows or linux with some modifications to the scripts potentially.

Step 1 - Fork the highly vulnerable Juice-Shop Application

NOTE: You may have already forked the Juice-Shop application in that case go ahead and skip this step

Navigate to the following GitHub repo - https://github.com/juice-shop/juice-shop

NOTE: this repo comes from the project Juice Shop from OWASP

  • Click on the "Fork" button
  • Ensure you are forking this repo to your public GitHub account
  • Click done

juice_shop_screenshot

Step 2 - Configure GitHub Integration

NOTE: You may have already setup GitHub integration in that case go ahead and skip this step

First we need to connect Snyk to GitHub so we can import our Repository. Do so by following these steps below:

  • Login to http://app.snyk.io Sign up if you haven't already.
  • Navigating to Integrations -> Source Control -> GitHub
  • Fill in your Account Credentials to Connect your GitHub Account.

integration workshop

Snyk Code Steps

Snyk Code is developer-first, embedding SAST as part of the development process, enabling developers to build software securely during development, not trying to find and fix problems after the code is compiled. Snyk Code works in the IDEs and SCMs developers use to build and review software and provides fast, actionable, meaningful results to fix issues in real-time

Step 3 - Enable Snyk Code within Snyk App

  • Click on the "Settings" button on the top most navigation bar as shown below

setting_screenshot

  • Click on "Snyk Code", then enable it and click "Save Changes" as shown below

snyk_code_setting

Step 4 - Add project to find Snyk Code Vulnerabilities

Now that Snyk is connected to your GitHub Account, import the Forked Repo "juice-shop" into Snyk as a Project.

  • Navigate to Projects
  • Click "Add Project" then select "GitHub"
  • Click on the Repo you forked "juice-shop"
  • Click "Add Selected Repositories"

alt tag

  • Once complete you should see a "Code Analysis" project as shown below

alt tag

  • Click on "Code Analysis" to view our SAST scan results

For each Vulnerability, Snyk displays the following:

  1. Each Vulnerability grouped by severity
  2. Each Vulnerability links to the CWE category code
  3. Each Vulnerability shows the CWE category name
  4. Displays the line of code where the security issue exists
  5. Description for the issue and the code file name it exists in
  6. A link to a Snyk Learn module on how to fix these type of vulnerabilities if available
  7. The ability to ignore issues you wish to remove from the list

alt tag

  • Click on the "Full Details" button as shown below

Snyk products all provide a developer-friendly experience, so Snyk Code helps developers to quickly understand the problem, learn the background, and how to approach it. Snyk Code helps you understand the dangerous code flow step-by-step. For every issue, Code also provides a link to the lines in the relevant files, to view more details on the problem like the CWE, and how to approach it.

alt tag

  • Click on "Fix Analysis" to see how you can fix the issue based on other open source project. On this page you get not just source code example fixes but also the following detailed information
  1. Details
  2. Types Of Attacks
  3. Affected Environments
  4. How to prevent

alt tag

Step 5 - Run a Snyk Code CLI Test

In addition to the Snyk App UI we also have, snyk - CLI a build-time tool to find & fix known vulnerabilities in open-source dependencies, IaC configuration files and SAST scans on the source code files itself (Snyk Code).

  • Before we get started please make sure you have setup the Snyk CLI. There are various install options as per the links below. Using the prebuilt binaries means you don't have to install NPM to install the Snyk CLI.
  1. Install Page - https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI
  2. Prebuilt Binaries - https://github.com/snyk/snyk/releases

Note: Please ensure you have the latest version of the Snyk CLI installed a version equal to or greater than the version below

$ snyk --version
1.801.0
  • Authorize the Snyk CLI with your account as follows
$ snyk auth

Now redirecting you to our auth page, go ahead and log in,
and once the auth is complete, return to this prompt and you'll
be ready to start using snyk.

If you can't wait use this url:
https://snyk.io/login?token=ff75a099-4a9f-4b3d-b75c-bf9847672e9c&utm_medium=cli&utm_source=cli&utm_campaign=cli&os=darwin&docker=false

Your account has been authenticated. Snyk is now ready to be used.
  • Clone your forked repository as shown below. You can use your own GitHub forked repo here instead of the one shown below if you like
$ git clone https://github.com/jiajunngjj/juice-shop
Cloning into 'juice-shop'...
remote: Enumerating objects: 94967, done.
remote: Counting objects: 100% (17/17), done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 94967 (delta 5), reused 13 (delta 4), pack-reused 94950
Receiving objects: 100% (94967/94967), 157.66 MiB | 10.35 MiB/s, done.
Resolving deltas: 100% (72676/72676), done.
  • Change to the "juice-shop" directory
$ cd juice-shop
  • At this point let's go ahead and run our first "snyk code test" as shown below
$ snyk code test

Testing /Users/jiajun/workspace/github/juice-shop ...

 ✗ [Low] Cleartext Transmission of Sensitive Information
     Path: test/e2eSubfolder.js, line 7
     Info: http (used in require) is an insecure protocol and should not be used in new code.

 ✗ [Low] Cleartext Transmission of Sensitive Information
     Path: test/api/productReviewApiSpec.js, line 9
     Info: http (used in require) is an insecure protocol and should not be used in new code.

...

 ✗ [High] Server-Side Request Forgery (SSRF)
     Path: routes/profileImageUrlUpload.js, line 19
     Info: Unsanitized input from the HTTP request body flows into request.get, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.

 ✗ [High] Server-Side Request Forgery (SSRF)
     Path: frontend/src/app/Services/configuration.service.ts, line 111
     Info: Unsanitized input from data from a remote resource flows into get, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.

 ✗ [High] Improper Neutralization of Directives in Statically Saved Code
     Path: routes/userProfile.js, line 46
     Info: Unsanitized input from cookies flows into pug.compile, where it is used to construct a template that gets rendered. This may result in a Server-Side Template Injection vulnerability.


✔ Test completed

Organization:      jj.ng
Test type:         Static code analysis
Project path:      /Users/jiajun/workspace/github/juice-shop

267 Code issues found
28 [High]   86 [Medium]   153 [Low

Snyk Open Source Steps

Snyk Open Source is a Software Composition Analysis took which seamlessly and proactively finds, prioritizes and fixes vulnerabilities and license violations in open source dependencies

Step 6 - Find vulnerabilities

  • Since Juice-Shop project had been imported in the Step 3, you should see multiple "package.json" projects as shown below.

snyk_open_source

  • Click on the second "package.json" to view our Open Source scan results

First let's explore the Juice-Shop project risks by clicking on the "package.json" file which is the manifest file where the open source dependencies are declared.

alt tag

Thenk go back on the Snyk WebUI and let's have a look at the vulnerabilities.

For each Vulnerability, Snyk displays the following ordered by our Proprietary Priority Score :

  1. The module that introduced it and, in the case of transitive dependencies, its direct dependency,
  2. Details on the path and proposed Remediation, as well as the specific vulnerable functions
  3. Overview
  4. Exploit maturity
  5. Links to CWE, CVE and CVSS Score
  6. Plus more ...

alt tag

Step 7 - Fix using a Pull Request

When using the GitHub integration, and if a fix is available, Snyk can automatically upgrade the vulnerable dependency to a non-vulnerable version through a Pull Request.

  • Click on "Fix this vulnerability" for "Prototype Pollution" issue as shown below

alt tag

  • On the next screen, you'll be able to confirm the issue to fix with this PR. Click "Open a Fix PR"

alt tag alt tag

  • Once it's ready, you'll be taken to the PR in GitHub, where you can review the changes in the file diff view:

Snyk integrates with your preferred Git repository to scan your manifest files for any new code and potential vulnerabilities whenever you submit a pull request (PR), protecting the security of your code before you ever merge it with the main branch

alt tag

  • We see that CI checks completed successfully, assuring us we didn't introduce a breaking change

alt tag

  • Optionally now, go ahead and merge the PR!
  • Back in Snyk we can appreciate that our package.json file has 1 less Critical Severity Vulnerability if you did fix it

Step 8 - Run a Snyk CLI Test

In addition to the Snyk App UI we also have, snyk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies. The CLI is what is used in DevOps pipelines to introduce Application Security Scans as part of that workflow to push applications into production.

  • Before we get started please make sure you have setup the Snyk CLI. There are various install options as per the links below. Using the prebuilt binaries means you don't have to install NPM to install the Snyk CLI.
  1. Install Page - https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI
  2. Prebuilt Binaries - https://github.com/snyk/snyk/releases
  • In order to run a Snyk CLI test we must install the npm packages so if you have npm in your path you can install them as follows

Check your Node version:

$ node -v

Note: If you're using Node version v14.x or v16.x or v18.x, you can proceed to the next step (npm install), else please set up Node version 14 (Juice-Shop supported compatibility)

For MacOS brew user:

$ brew install node@14
$ export PATH="/usr/local/opt/node@14/bin:$PATH"

For Windows/Linux nvm user:

$ nvm install 14
$ nvm list
$ nvm use version-number

With the right Node version, run:

$ npm install

Note: If you don't have npm installed this you can skip this final step as a "snyk test" will not work without a package-lock.json file or the "node_modules" folder

  • Once npm is installed run a Snyk CLI test as follows
❯ snyk test --all-projects

Testing /Users/jiajun/workspace/github/juice-shop...

Tested 898 dependencies for known issues, found 37 issues, 52 vulnerable paths.


Issues to fix by upgrading:

  Upgrade [email protected] to [email protected] to fix
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected] and 8 other path(s)

  Upgrade [email protected] to [email protected] to fix
  ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/npm:moment:20170905] in [email protected]
    introduced by [email protected] > [email protected] > [email protected]
    
...

  ✗ Use After Free [High Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541000] in [email protected]
    introduced by [email protected]
  No upgrade or patch available
  ✗ Out-of-bounds Read [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODESASS-541002] in [email protected]
    introduced by [email protected]
  No upgrade or patch available


License issues:

  ✗ GPL-3.0 license (new) [High Severity][https://snyk.io/vuln/snyk:lic:npm:qrious:GPL-3.0] in [email protected]
    introduced by [email protected] > [email protected]



Organization:      workshop
Package manager:   npm
Target file:       frontend/package.json
Project name:      frontend
Open source:       no
Project path:      /Users/jiajun/workspace/github/juice-shop
Licenses:          enabled

Tip: Run `snyk wizard` to address these issues.


Tested 2 projects, 2 contained vulnerable paths.

CI/CD Steps

Snyk integrates with your CI/CD pipelines to provide the ability to prevent critical vulnerabilities from going into production. Adequate security gates are essential in ensuring the appropriate quality is delivered in an automated fashion and nothing serious slips through by accident.

Step 9 - Retrieve the Snyk API token from Snyk App

  • Login to http://app.snyk.io
  • Navigating to Settings -> Service Accounts
  • Create a new service account, ghactions
  • Assign the role, Org Admin

service account

  • Once created, copy the API token to clipboard.

Step 10 - Add the Snyk API token into the GitHub repository secret

  • Navigate to your forked juice-shop repository
  • Navigate to Settings
  • Click on Secrets

secrets

  • Click on Actions
  • Click on New repository secret

secrets2

  • Use SNYK_TOKEN as the name of the secret
  • Paste your Snyk API token from Step 10

secrets3

  • Click Add secret

Step 11 - Create the GitHub Actions workflow

  • Navigate to your forked juice-shop repository
  • Navigate to Actions
  • Click on new workflow

github_actions

  • Click on Set up a workflow yourself

github_actions2

  • Copy and paste the following to the main.yml:
name: "Snyk Code and Snyk Open Source Test"

on:
  push:
    branches:
    - master

jobs:
  Pipeline-Job:
    # Configure Environment
    name: 'Snyk Test'
    runs-on: ubuntu-latest
    env: 
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       
    steps:
    # Checkout Code
    - name: Checkout Code
      uses: actions/checkout@v1

    # Install and Authenticate to Snyk
    - name: Install Snyk & Authenticate
      run: |
         sudo npm install -g snyk
         echo ${SNYK_TOKEN}
         snyk auth ${SNYK_TOKEN}
    # Run Snyk Code
    - name: Snyk Code test
      run: |
         snyk code test
      continue-on-error: true
    # Run Snyk Open Source
    - name: Snyk Open Source test
      run: |
         snyk test
      continue-on-error: true
  • Click on Start commit
  • Click on Commit new file

actions3

Congratulations, you have completed. Thanks for attending and completing this workshop

alt tag


JJ [jj.ng at snyk.io] is a Solution Engineer at Snyk APJ

About

An Intro Workshop of Snyk

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published