About a year ago, we introduced you to Snyk, when we integrated Snyk data for npm vulnerabilities into Xray’s global database. With the recent release of version 1.11, JFrog Xray extends support for Snyk opening up analysis for open source vulnerabilities tracked from public structured databases across multiple ecosystems: npm, java, ruby, python, scala, go, .net, php, along with the option to upgrade to “Snyk Premium” which provides the full depth of the Snyk security database, along with advanced remediation, quality advisories and security patches.
Vulnerability Discovery, Prevention, and Remediation
The cost of fixing a bug grows exponentially the later you find it in your SDLC. Similarly, the cost of addressing a known vulnerability grows the later you discover it. With early discovery you can prevent the disruption of finding a vulnerability in one of your deployed applications. The absolute lowest cost of remediation is achieved by preventing new vulnerabilities from being introduced into your artifacts in the first place. Moreover, your workflow isn’t complete until you’ve actually remediated the vulnerabilities, but the challenge with fixing these vulnerabilities is the time required to research what each vulnerability means, and the options for removal. This process gets especially complex when dealing with indirect dependencies and potential conflicts, and it often requires expertise that doesn’t exist broadly across the organization, resulting in all issues being channeled to a few experts who quickly become bottlenecks. Blindly upgrading to latest versions of dependencies can also be risky, and is generally not a recommended approach. With Snyk Premium providing recommendations for remediation of vulnerabilities, its integration with JFrog Xray helps you avoid these costs.
Early Detection, Continuous Monitoring and Alerts
Xray and Snyk work together to detect vulnerabilities during the build process which minimizes the cost of remediation since it can be implemented early in the SDLC. But even if your builds get past Xray and Snyk, new vulnerabilities are discovered all the time. Fortunately, JFrog continuously updates JXray including adding new vulnerabilities from Snyk’s Basic database, and each time your build artifacts are scanned, the latest vulnerabilities will be exposed in JFrog Xray. However, waiting for scans to occur might prevent early detection of vulnerabilities, especially for artifacts that are not frequently scanned. To make sure that no vulnerability goes undetected, Xray continuously monitors your repositories. Any time you add artifacts, Xray takes note of all the dependencies you are using, and when a new vulnerability that affects your artifacts is captured by Snyk Basic or Snyk Premium you will be immediately alerted. The diagram below shows how JFrog Xray with Snyk working with Artifactory fit into your SLDC to help you detect, monitor and eradicate vulnerabilities from your development and production systems alike.
So, if you don’t want to spend nights weeding out vulnerabilities from the hundreds and thousands of dependencies your artifacts are using, you might want to get started with a free trial of JFrog Xray. You can also learn more about the value you get from Snyk Premium and how to upgrade your Snyk account.