As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.

Snyk Remote Provider (ThreadFix 3.X)

You will learn

How to create Snyk as ThreadFix remote provider, obtain Scan data, as well as how data is parsed.

Prerequisites

Audience: IT Professional or End User
Difficulty: Advanced
Time needed: Approximately 10 minutes
Tools required: User must have Server Manager role

For general information & instructions on the use of Remote Providers within ThreadFix, please refer to this page's parent page: Remote Providers.

For information on REST API functionality for Remote Providers, please refer to the following: Remote Providers API

Introduction

Snyk can be used to scan and secure codebase and cloud infrastructure configurations, taking advantage of the Snyk capabilities in Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Infrastructure as Code analysis.

  • Snyk Open Source - Find and fix known vulnerabilities and licensing issues in open-source dependencies

  • Snyk Code - Scan a codebase for known vulnerabilities and get remediation guidance either inline in an IDE or by importing a code repository to Snyk Web UI

  • Snyk IaC - Secure cloud infrastructure configurations before and after deployment

Read before proceeding

Please note the integration will facilitate the automatic import of both SAST (Static Application Security Testing) and SCA (Software Composition Analysis) findings from Snyk into ThreadFix.
ThreadFix currently does not support Container security findings. When Container findings are supported, documentation will be updated.

Snyk User Account

During the creation process, users will need to provide a name, API URL, and API Key.

image-20240308-233047.png

API Usage

Authentication

Snyk requires API tokens for authentication of all API calls. API token is generated using the Authentication API.

Below APIs used to retrieve list of SCA vulnerabilities

Retrieve list of Organizations

GET https://apidocs.snyk.io/?version=2023-12-21#get-/orgs

Retrieve targets for a given Org Id

GET https://apidocs.snyk.io/beta?version=2024-01-04%7Ebeta#get-/orgs/-org_id-/targets

Retrieve projects for a given Org Id and for a target id (target id is provided in query-string parameter). And also projects can be filtered by using ‘types’ query-string parameter. Snyk supported projects types can be found here Project type responses from the API | Snyk User Docs

GET https://apidocs.snyk.io/?version=2024-01-04#get-/orgs/-org_id-/projects

Retrieve the SBOM document of a software project for a given Org Id and project id which provides package level details to get issues.

Retrieve the issues for a given package. Need separate request for each package using this API. Package is identified by Package URL (purl)

 

Note:
If 'GET /orgs/{org_id}/issues' is used to get SCA issues for a given org id and project id if the response does not have enough details to map Snyk vulnerability fields to ThreadFix finding fields like vulnerability details and remediation recommendations. Thus we suggest using the above series of API calls to get SCA vulnerabilities.

Refer GET /orgs/{org_id}/issues response below for reference:
Snyk REST API Documentation

The below APIs are used to retrieve your list of SAST vulnerabilities 

Retrieve list of Organizations

Retrieve targets for a given Org Id

Retrieve projects for a given Org Id and for a target id (target id is provided in query-string parameter). And also projects can be filtered by using ‘types’ query-string parameter. Snyk supported projects types can be found here Project type responses from the API | Snyk User Docs

Retrieved issues for a given Org Id and project id (project id is provided in scan_item.id, scan_item.type as 'project' and type as 'code' in query-string parameters)

To retrieve issue details for a specific Issue ID, use the Issue ID from the data:attributes:key field for a particular issue listed in the Rest API "Get Issues by Org" API call. Need separate request for each issue to get issue details using this API.

 

Note:

GET /orgs/{org_id}/targets - Need to use beta version API to get targets
GET /orgs/{org_id}/issues - Need to use Beta version api to get issues
GET /orgs/{org_id}/issues/detail/code/{issue_id} -- Need to use experimental version api to get issue details

Snyk Data Classification

Container Projects

  • deb

  • rpm

  • linux

  • apt

  • dockerfile

 

Cloud Types

  • k8sconfig

  • armconfig

  • cloudformation

  • terraformconfig

  • terraformplan

  • helmconfig

www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.