Dependency-Track logov4.7

Snyk is a platform allowing you to scan, prioritize, and fix security vulnerabilities in your own code, open source dependencies, container images, and Infrastructure as Code (IaC) configurations.

It is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Dependency-Track integrates with Snyk using its REST API. Dependency-Track does not mirror Snyk entirely, but it does consume vulnerabilities on a ‘as-identified’ basis.

The Snyk integration is disabled by default.

Configuration #

To configure the Snyk integration, navigate to Analyzers -> Snyk (Beta) in the administration panel.

Base URL Base URL of the Snyk REST API. Defaults to
Organization ID The Snyk-internal organization ID.
Refer to Finding the Snyk ID and internal name of an Organization for details on how to find it.
API Token Authentication token for the REST API.
Multiple tokens may be provided by separating them with semicolons (see Using multiple Tokens).
Refer to Authentication for API for details on how to generate tokens.
API Version Version of the Snyk REST API to use.

Snyk Configuration

Rate Limiting #

The Snyk REST API is subject to rate limiting. At the time of writing, it allows for up to 1620 requests per minute, per authentication token. These numbers may change over time, and Snyk does explicitly not consider changes to the quota to be breaking changes. The current applicable rate limit can be found in Snyk’s REST API documentation.

Dependency-Track can deal with this limitation in multiple ways.

Retries #

Rate limited requests are generally handled simply by retrying them, with an exponentially increasing delay between attempts. Per default, requests will be retried up to 7 times, with delays between attempts increasing as follows:

Retry Attempt Delay before Attempt
1 1s
2 2s
3 4s
4 8s
5 16s
6 32s
7 60s

This behavior works fine for the majority of users, but can be customized if desired. Refer to Configuration for details. By monitoring metrics of this retry mechanism, it’s possible to assess how often requests had to be retried (see Monitoring). If requests have to be retried frequently, providing multiple authentication tokens (see below) can help.

Using multiple Tokens #

In addition to retries, Dependency-Track can make use of multiple authentication tokens. When more than one token is provided, token usage will be evenly distributed across requests in round-robin fashion. Using multiple tokens can improve throughput, as it becomes less likely that requests are rate limited and have to be retried.

To provide more than one token, simply concatenate the tokens with ; (e.g. token1;token2;token3), and insert them in the API Token field of the configuration page as usual.

Understanding Snyk’s CVSS analysis #

The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through 3rd party disclosures.

When evaluating the severity of a vulnerability, it’s important to note that there is no single CVSS vector - there are multiple CVSS vectors defined by multiple vendors, with the National Vulnerability Database (NVD) being one of them.

NOTE: For Beta version, user can select either from NVD or SNYK to prioritize the cvss vectors.