Hello, I’m coming from the ASWF which is an LF foundation. We have C++ repositories that we would like to scan have have the results made available in the LFX adshboards. One of these project is GitHub - AcademySoftwareFoundation/OpenTimelineIO: Open Source API and interchange format for editorial timeline information.. It’s visible in LFX Security.
I see that I’ll need to run the snyk CLI in CI in order to do that, but this requires credentials. Additionally, I’m wondering if I’ll need to create the project in Snyk ans so on? The LFX documentation doesn’t say how the integration between Snyk and LFX Security works, so I’m kind of blind as to what will be required to do on my side.
I can open an LF ticket if that’s a better way to ask for that.
Hi @jcmorin welcome to our community!
I can see the project is already onboarded on LFX Security, as I can see the project in the Security dashboard. I think the dilemma here is as Security stands today we do not support C++ repositories Supported Languages - Linux Foundation Documentation
We leverage Snyk for repo scanning and to our knowledge Snyk does not support scanning C/C++ projects. See: Snyk Code - Supported languages and frameworks - Snyk User Docs. As a result, we do not support these languages.
I do see information on how you can run Snyk CLI in CI here: https://docs.snyk.io/scan-application-code/snyk-code/using-snyk-code-from-ci-cd-pipeline but I am not positive this will work with C++ as I don’t believe Snyk supports this language. But please let me know if you have used Snyk for C++ in any other ways.
Looping in @David_Deal, it may be good to discuss over a thread here what solutions you leverage for your C++ repositories, as others may have C++ repositories as well.
Hey, Snyk supports C++, see Snyk for C/C++ - Snyk User Docs. At least it supports vulnerability reports. It doesn’t report licenses I think. All C+ is only supported through the CLI. That’s why I said I’ll need to use the CLI, but for that I need credentials and a project in Snyk. How does that work with LFX Security? For example in other places, I’ve seen suggestions to run BluBracket as part of CI so that we get sensitive language + secret scanning as part of PRs, etc. Wouldn’t that require API credentials too?
@jcmorin ahh got it, @David_Deal might be the best help regarding this question. @David_Deal for C++ Projects are you aware of any work arounds involving LFX Security?
Hi @jcmorin .
We can “connect” your command line usage/authorization with our Synk account. We need to simply create an API integration token and share the Snyk organization mapping details with you.
I’ve created a ticket so that we can track the progress of this request.
Once connected, can run all the Snyk CLI commands. Feel free to publish the results into our account via the snyk monitor command. These would be later fetched and displayed into the LFX Security console.
Alright, thanks! I’ll test using my own account for now (because I know it works, but mileage varies between projects).
@jcmorin our support team sent you a link with the Snyk setup information (org + token).
Thank you! I saw that. I’ll try a simple test (without uploading) to see if everything works.
I have a ticket opened with Snyk right now so that they can fix some problems with the scan of one of our projects. So far I’ve been using my own user+org. Once the Snyk problems are sorted out, I’ll be able to publish straight using the provided API key.
Hey, so the key I received worked. But now I’m blocked by Snyk. I have a ticket opened with them because it’s not to correctly find our C++ dependencies, even if we have one of the simplest setup out there (all our dependencies are unmodified git submodules, which means Snyk should be able to find all files, etc). The last update I had from them was “we are sorry but it’ll take a long time before we can look at your ticket”. Is there a way to potentially speed that up a bit?
I’m starting to think that we might be better with publishing an SBOM to GH using Using the Dependency submission API - GitHub Docs. I’d need a custom tool to generate an SBOM from submodules, but that should be easy to write. The downside is that it won’t show up in LFX Security.
Does someone have any opinions on what we should do next?
Hi @jcmorin, thank you for the follow up here. I do not believe we are connected to Snyk’s ticketing system. This was a ticket with Snyk and not LFX correct?
Also, @David_Deal do you have any additional insight on how we can showcase SBOM from submodels to be shown in LFX Security?
Indeed it’s a ticket I opened with Snyk. I created it with them directly since it’s really a Snyk problem. But now I’m wondering if I should install have gone through LF support…
I found Snyk brings developer-first AppSec approach to C/C++ | Snyk where Snyk announced new functionalities for C++. The most interesting one to me is license scans.
But unfortunately, it’s still bad at detecting/finding dependencies…