cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon snyk

[🙏] Support preserving projects at a specific version instead of overwriting to enable identifying vulnerabilities in previously released versions of software

Open cjheppell opened this issue 3 years ago • 5 comments

  • Language / Project Type: All (though we're primarily C#)
  • Package Manager / Build Tool: All (though again, NuGet since we're C#)

Describe the user need

We build and release software that is installed as desktop programs on user machines. We'd like to use Snyk to ensure that we know if any of our historical releases (e.g, 1 year ago) are identified as having vulnerabilities.

The reason for this is so that we can inform our users they need to update their software from us as it contains a newly disclosed vulnerability.

Since we aren't in control of the versions our customers use (as they will use whichever version they have installed, and aren't guaranteed to be on the latest version) we want to preserve the snapshot of a project when snyk monitor was run, and be alerted when new vulnerabilities are discovered in that snapshot.

As it stands right now, when I run snyk monitor for a given code repository, it will instead overwrite the current project in the Snyk API and I will lose the ongoing analysis of the previous snapshot of the code.

Describe expected behaviour

Perhaps an extra flag such as --projectVersion which accepts an arbitrary string so that we can associate a given commit of the code with a particular version. In snyk, that will equate to essentially providing a unique project name, so as to avoid overwriting that with the typical "snyk monitor" behaviour.

Additional context

After working with Snyk support on this, I wrote a "wrapper" CLI for Snyk which is to achieve exactly this: https://github.com/cjheppell/snyk-history-scanner/

It effectively implements the code here as a distributable binary and provides the sort of flags discussed above.

Ideally, I don't want to maintain this as I believe it should be a first-class citizen of the Snyk CLI. I'm more than happy for Snyk to implement this and then I can archive my own repo.

cjheppell avatar Jan 04 '22 09:01 cjheppell

Hey Chris, sounds like this might help: https://docs.snyk.io/features/snyk-cli/grouping-projects-by-branch-or-version

jahed-snyk avatar Jan 06 '22 11:01 jahed-snyk

Thanks @jahed-snyk

That looks like exactly what I'm looking for.

I'll do a bit more digging to confirm it replicates the behaviour we need and post back here.

cjheppell avatar Jan 06 '22 16:01 cjheppell

Thanks @jahed-snyk

That looks like exactly what I'm looking for.

I'll do a bit more digging to confirm it replicates the behaviour we need and post back here.

Hey @cjheppell were you able to solve the issue?

daudmalik06 avatar Feb 12 '22 17:02 daudmalik06

Still working on the migration from snyk-history-scanner to this native capability at the moment.

Initial investigation suggests this does exactly what we want. Will confirm back here once we've had this running for a while.

cjheppell avatar Feb 14 '22 09:02 cjheppell

Hi @daudmalik06 , I can confirm that it all looks good, and we've managed to retire custom snyk-history-scanner. (we work with @cjheppell in the same company)

Greg-Smulko avatar Mar 18 '22 17:03 Greg-Smulko