Comments (11)
A couple of sample Snyk results on Groupon projects (though typically you'll run Snyk from the CLI):
https://snyk.io/test/github/groupon/nlm
https://snyk.io/test/github/groupon/report-card
https://snyk.io/test/github/groupon/DotCi
from codeburner.
Definitely interested! Two questions:
- I don't see anything in the docs re: ouput formatting or in the command line help... does Snyk have an easy way to output JSON or XML? It's not a show stopper if not, it'll just make things easier.
- What differentiates Snyk from retire.js/nodesecurity, the remediation (which is very interesting, fwiw)?
from codeburner.
Great!
Re json, you can specify a --json argument to 'snyk test' to get json output. Good point on it missing from the docs, we'll fix that.
Re difference, the main delta is remediation. That said, the tools operate a bit differently. There are a handful of issues in our DB that aren't in nodesecurity (our DB is at https://github.com/Snyk/vulndb), and we've encountered various packages where we reported issues while they did not.
from codeburner.
It's on the list for pipeline now; I'll get it added probably next week and update codeburner as soon as the new gem is published.
Thanks for the submission!
from codeburner.
I started working on this integration today, unfortunately I hit a snag.
I ran snyk against about a dozen different javascript apps, some of which have known vulns caught by nodesecurity or retire. I have yet to get snyk to report a single result, unfortunately. I even tried it against the snyk-demo-app I found reference to with no luck.
I'm running npm 3.3.3 and node 0.12.7 if it helps...
from codeburner.
One thought: do you run Snyk.io after running npm install
?
When you run snyk locally, it tests the set of packages actually deployed. The npm install
logic is pretty complicated, especially when you factor in deduplication and shrinkwrap, so we determined its best to test what is actually deployed. I believe nsp doesn't work that way (making it mis-report or totally miss some issues).
Can you try running it after npm install
and see if you're getting the issues as expected?
from codeburner.
Aha, got it! That's the same logic as retirejs, so I totally get it/agree... you might want to add that as another notch in the documentation belt, though, since I didn't see it mentioned anywhere :)
I've got some decent data now, and I already added a hook to specify a custom npm-registry in pipeline for our retirejs support (which does an npm install --no-scripts before it runs in pipeline) so this should work fine.
Thanks for the quick reply!
from codeburner.
FYI this is done, I'm just waiting to finish 1 more (big) feature for pipeline before I submit the PR/add it to codeburner proper.
FWIW the Markdown details actually look pretty nice in the codeburner interface after an html conversion ;)
from codeburner.
Awesome - will test it out a bit later!
from codeburner.
Fixed in pipeline: OWASP/glue#28
Once that's merged I'll update codeburner and Snyk support will be in.
from codeburner.
This all finally made it in to today's release, Snyk is fully supported now.
from codeburner.
Related Issues (14)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from codeburner.