As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Snyk Remote Provider (ThreadFix 3.X)
You will learn
How to create Snyk as ThreadFix remote provider, obtain Scan data, as well as how data is parsed.
Prerequisites
Audience: IT Professional or End User
Difficulty: Advanced
Time needed: Approximately 10 minutes
Tools required: User must have Server Manager role
For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.
For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API
Introduction
Snyk can be used to scan and secure codebase and cloud infrastructure configurations, taking advantage of the Snyk capabilities in Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Infrastructure as Code analysis.
Snyk Open Source - Find and fix known vulnerabilities and licensing issues in open-source dependencies
Snyk Code - Scan a codebase for known vulnerabilities and get remediation guidance either inline in an IDE or by importing a code repository to Snyk Web UI
Snyk IaC - Secure cloud infrastructure configurations before and after deployment
Read before proceeding
Please note the integration will facilitate the automatic import of both SAST (Static Application Security Testing) and SCA (Software Composition Analysis) findings from Snyk into ThreadFix.
ThreadFix currently does not support Container security findings. When Container findings are supported, documentation will be updated.
Snyk User Account
During the creation process, users will need to provide a name, API URL, and API Key.
API Usage
Authentication
Snyk requires API tokens for authentication of all API calls. API token is generated using the Authentication API.
Below APIs used to retrieve list of SCA vulnerabilities
Retrieve list of Organizations
GET https://apidocs.snyk.io/?version=2023-12-21#get-/orgs
Retrieve targets for a given Org Id
GET https://apidocs.snyk.io/beta?version=2024-01-04%7Ebeta#get-/orgs/-org_id-/targets
Retrieve projects for a given Org Id and for a target id (target id is provided in query-string parameter). And also projects can be filtered by using ‘types’ query-string parameter. Snyk supported projects types can be found here https://docs.snyk.io/snyk-api/using-snyk-api/snyk-api-responses-project-type
GET https://apidocs.snyk.io/?version=2024-01-04#get-/orgs/-org_id-/projects
Retrieve the SBOM document of a software project for a given Org Id and project id which provides package level details to get issues.
Retrieve the issues for a given package. Need separate request for each package using this API. Package is identified by Package URL (purl)
Note:
If 'GET /orgs/{org_id}/issues'
is used to get SCA issues for a given org id
and project id
if the response does not have enough details to map Snyk vulnerability fields to ThreadFix finding fields like vulnerability details and remediation recommendations. Thus we suggest using the above series of API calls to get SCA vulnerabilities.
Refer GET /orgs/{org_id}/issues
response below for reference:
Snyk REST API Documentation
The below APIs are used to retrieve your list of SAST vulnerabilities
Retrieve list of Organizations
Retrieve targets for a given Org Id
Retrieve projects for a given Org Id and for a target id (target id is provided in query-string parameter). And also projects can be filtered by using ‘types’ query-string parameter. Snyk supported projects types can be found here https://docs.snyk.io/snyk-api/using-snyk-api/snyk-api-responses-project-type
Retrieved issues for a given Org Id and project id (project id is provided in scan_item.id, scan_item.type as 'project' and type as 'code' in query-string parameters)
To retrieve issue details for a specific Issue ID, use the Issue ID from the data:attributes:key field for a particular issue listed in the Rest API "Get Issues by Org" API call. Need separate request for each issue to get issue details using this API.
Note:
GET /orgs/{org_id}/targets
- Need to use beta version API to get targetsGET /orgs/{org_id}/issues
- Need to use Beta version api to get issuesGET /orgs/{org_id}/issues/detail/code/{issue_id}
-- Need to use experimental version api to get issue details
Snyk Data Classification
Container Projects
deb
rpm
linux
apt
dockerfile
Cloud Types
k8sconfig
armconfig
cloudformation
terraformconfig
terraformplan
helmconfig
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Introduction
- 1.2.1 Snyk User Account
- 1.2.2 API Usage
- 1.2.3 Snyk Data Classification
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.