New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency snyk to v1.1064.0 [security] #1087

Open

renovate wants to merge 1 commit into develop from renovate/npm-snyk-vulnerability

renovate bot commented Aug 6, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
snyk	`1.824.0` -> `1.1064.0`

GitHub Vulnerability Alerts

CVE-2022-40764

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957.

CVE-2022-24441

The package snyk before 1.1064.0 is vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable.

NOTE: This issue is independent of the one reported in CVE-2022-40764, and upgrading to a fixed version for this addresses that issue as well.

The affected IDE plugins and versions are:

VS Code - Affected: <=1.8.0, Fixed: 1.9.0
IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48
Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31
Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions
Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions

Release Notes

snyk/snyk (snyk)

`v1.1064.0`

Bug Fixes

escape child process arguments (80d97a9)

`v1.1063.0`

Features

base64 default for sast analysis (369fe11)
support sev.threshold for unm.-deps (cc329fd)

`v1.1062.0`

Bug Fixes

use lenient config in gradle plugin (afc1ccb)

`v1.1061.0`

Features

upgrade snyk-iac-test to v0.37.0 (ef864be)

`v1.1060.0`

Bug Fixes

update snyk-docker-plugin (cc200eb)

`v1.1059.0`

Bug Fixes

bump snyk-gradle-plugin to 3.24.5 (a75faaf)

`v1.1058.0`

Features

Upgrade snyk-iac-test to v0.36.5 (71e8ba5)

`v1.1057.0`

`v1.1056.0`

Bug Fixes

improve go file path determination (f426bdb)

`v1.1055.0`

Bug Fixes

restore env proxy launching snyk-iac-test (fec034b)
support unmanaged for ide plugins (9746d20)

`v1.1054.0`

Bug Fixes

update snyk-docker-plugin (a638be2)

`v1.1053.0`

Bug Fixes

certificate issue for golang plugin (540b32c)

`v1.1052.0`

Features

improve errors for cloud context (0ddc517)

`v1.1051.0`

Bug Fixes

apps create command (8544c06)

`v1.1050.0`

Bug Fixes

remove allow analytics check for share results (4bac957)

`v1.1049.0`

Features

Upgrade snyk-iac-test to v0.36.2 (d37581b)

`v1.1048.0`

Bug Fixes

in sbt plugin inspect: filter out configs that are not public (a1df508)

`v1.1047.0`

`v1.1046.0`

Bug Fixes

rollback #4105 (6fec157)

`v1.1045.0`

Bug Fixes

check of incorrect environment variable (1c863bb)
do not proxy traffic to sockets (a2cbec3)

Features

disable container app scan with feature flag (39fcaf2)

`v1.1044.0`

Bug Fixes

add innerError to CLI analytics as error-details (c6e92d9)
use body in 403 error innerError if body.stack is empty (2eb1a24)

Features

Upgrade snyk-iac-test to v0.36.1 (53dfb7a)

`v1.1043.0`

Bug Fixes

relax conditions for sbt plugin inspect (a201a61)

`v1.1042.0`

Bug Fixes

Errors from snyk-iac-test should not be swallowed (b02372d)

Features

@snyk/fix: pipenv support for version 2022.* (74d0829)

`v1.1041.0`

Bug Fixes

reduce scala script output size (f3ea1ce)

`v1.1040.0`

Bug Fixes

Invoke snyk-iac-test asynchronously (1a5e734)

`v1.1039.0`

Features

new cloud context flag --snyk-cloud-environment (e5528cf)
Upgrade snyk-iac-test to v0.35.1 (73da9cb)

`v1.1038.0`

Features

add error code to iac json output (4d08086)

`v1.1037.0`

Bug Fixes

fixing typo to trigger a failed release (6f49a08)

`v1.1036.0`

What's Changed

chore: preserve system proxy in golang cli by @PeterSchafer in https://github.com/snyk/cli/pull/4159
feat: Upgrade snyk-iac-test to v0.34.1 by @francescomari in https://github.com/snyk/cli/pull/4160
restore system proxy for describe by @moadibfr in https://github.com/snyk/cli/pull/4158

Full Changelog: snyk/cli@v1.1035.0...v1.1036.0

`v1.1035.0`

Features

do not download bundle in cli (d339015)
IaC --report smoke testing (48f2e93)

`v1.1034.0`

Features

Upgrade snyk-iac-test to v0.33.5 (c318f06)

`v1.1033.0`

Features

Upgrade snyk-iac-test to v0.33.4 (ea931d1)

`v1.1032.0`

Features

Upgrade snyk-iac-test to v0.33.3 (f0ada01)

`v1.1031.0`

Bug Fixes

identify gradle projects by path not name (284c8aa)

`v1.1030.0`

Features

use in_progress in unmanaged resp. (84a1bb3)

`v1.1029.0`

`v1.1028.0`

`v1.1027.0`

Features

Upgrade snyk-iac-test to v0.33.1 (8f49d27)

`v1.1026.0`

Bug Fixes

remove reachability from plugins (cdebec7)

`v1.1025.0`

Features

update code client (a30958c)

`v1.1024.0`

`v1.1023.0`

Bug Fixes

Ignored issues count displays "undefined" (962df51)

`v1.1022.0`

Bug Fixes

do not check stderr output in IaC smoke tests (55cbba0)

Features

use short link to the Integrated IaC docs (8fd823d)

`v1.1021.0`

Bug Fixes

remove gradle matching config error (401c0f0)

Features

add flag to exclude app vulnerabilities (5d704e2)
print warning message on app-vulns enablement (9216c49)

`v1.1020.0`

`v1.1019.0`

Bug Fixes

use @snyk/child-process package without shell (2d8845d)

Features

windows: renew code signing certificate (ff063f1)

`v1.1018.0`

Features

add an info message to the new iac test command (533db99)

`v1.1017.0`

Features

Update feature gating for new IaC Integrated experience (72bed38)

`v1.1016.0`

Bug Fixes

unmanaged scan unknown archives (5821ed4)

`v1.1015.0`

Features

refactor and add tests on gradle plugin (239d4ab)

`v1.1014.0`

Features

container support for deleted files (cc8edfb)

`v1.1013.0`

Features

new version to update url docs link (bd063e3)

`v1.1012.0`

Features

pass snykHttpClient to plugin.inspect (17b1273)

`v1.1011.0`

Bug Fixes

improve cpp-plugin performance on windows (b5f6770)

`v1.1010.0`

Bug Fixes

added check for existing key in loop (04c00bc)

`v1.1009.0`

`v1.1008.0`

`v1.1007.0`

Bug Fixes

upgrade go-httpauth to support basic auth (875f0e9)

Features

add unmanaged service test call ff (55b6fbb)

`v1.1006.0`

Features

show Cloud Issues URL when sharing results with snyk iac test (9e1f2d7)

`v1.1005.0`

Bug Fixes

iac test result undefined (c1e289d)
update snyk-docker-plugin to fix CGo binaries issue (4db2a46), closes #456

Features

add support for an HTTP proxy when using snyk-iac-test (3f82971)

`v1.1004.0`

Features

share results with the Cloud API (17c7bac)

`v1.1003.0`

Bug Fixes

container python app scan performance issues (a8732a6)

Features

can override IaC experimental bundle (7da75f1)

`v1.1002.0`

Features

IaC context-suppressed issue count (bb18d47)

`v1.1001.0`

Features

pass the org public ID to snyk-iac-test (e70e43d)

`v1.1000.0`

Bug Fixes

container python app scan errors (91ce029)

`v1.999.0`

Features

container Go binary scan (47af5ca), closes #447

`v1.998.0`

Features

cloud context for IaC tests (b9c1a10)
container python app scan (3609d7d)
create temp filepath for iac engine to write results (12d8e57)
custom message for IaC cloud context errors (b5833a2)

`v1.997.0`

Bug Fixes

For Gradle multi-module projects filter subprojects on unique path not name (db21498)

`v1.996.0`

Bug Fixes

bump golang plugin version (8893f81)

Features

add --var-file support (537372d)

`v1.995.0`

Bug Fixes

matching configurations error on gradle version catalog (20dcdae)

`v1.994.0`

Bug Fixes

more IaC error codes (e0227c3)

Features

add custom severities to iac test config (9d86574)
add ignore count in the experimental version of iac test (d390ca2)
Added support for depth-detection (8cf1815)

`v1.993.0`

Features

add scan flag support (53951fc)

`v1.992.0`

Bug Fixes

--target-name bug (3431f79)
Spacing for issue descriptions with custom rules (29b2fdb)

`v1.991.0`

Features

add report summary (d8e4ea8)
pass policy (.snyk) to iac-test via the config file. (6d3ad76)

`v1.990.0`

Bug Fixes

none custom policies severity issues should be filtered out before sending them to registry (4acacd2)

`v1.989.0`

Bug Fixes

downgrade snyk-go-plugin to 1.19.0 (4643026)
increase buffer size (8079fe3)
update golang plugin (a0e30d9)
upgrade-docker-registry-v2-client (275afb1)

Features

pass remote-repo-url arg to snyk-iac-test (18e8c87)

`v1.988.0`

Bug Fixes

return exit code 3 when no resources can be found (9d2e41f)
upgrade docker-registry-v2-client lib (374ba55)

Features

pass target-name arg to snyk-iac-test (4352122)
stop caching rules (71c866e)

`v1.987.0`

Bug Fixes

correct broken URLs for license issues (8a46931)
Ensured the test spinner stops (5d9d15f)

Features

remove reachability (5500e25)
scan maven aggregate projects (019bc45)
share cache path with IaC plugin (e254c0c)
update snyk-iac-test to 0.18.1 (379fe0c)

`v1.986.0`

Bug Fixes

wrong 2x count of iac issues with --report -multi-doc yaml (06da34e)

`v1.985.0`

Bug Fixes

Fixed incomplete CC path when missing resource attributes (6a4480c)
missing release in package version string (dcb40ab)
upgarde docker-registry-v2-client lib (5de3cb1)

Features

introduce —about flag to print attribution information (60eaec8)
pass projectTags arg to snyk-iac-test (ae70c1e)

`v1.984.0`

`v1.983.0`

Bug Fixes

use FormattedPath (2ebfb71)

Features

add project attributes support in --experimental (08791f8)
Implement AnyAuth Proxy Authentication support (467b621)

`v1.982.0`

Bug Fixes

upgrade docker plugin to improve stream parsing (a59d8e4)

Features

pass configuration to snyk-iac-test (6fb5992)
upgrade snyk iac test to 0.13.1 (ce7103e)

`v1.981.0`

Bug Fixes

Add missing IaC issue props in JSON output (da3a671)

`v1.980.0`

Features

improve maven debug logging (a0cdcfc)

`v1.979.0`

Bug Fixes

handle gradle strict lock mode (8905252)

`v1.978.0`

Features

add SARIF support (CFG-1993) (622c8f4)

`v1.977.0`

Bug Fixes

container app vulns json with experimental flag (332d87b)

Features

add deprecation message to test command (7f191b5)

`v1.976.0`

Features

improve comment handling for SBT scans (cf862b9)

`v1.975.0`

Features

add test summary section to the experimental output (b708086)

`v1.974.0`

Features

add 'target-name' flag support (6305c3d)

`v1.973.0`

Bug Fixes

vuln links using demunge (01154c9)

Features

add --remote-repo-url to "iac test" (2a12048)
update general vuln descriptions to point to pvdb (ad80d74)
update spotlight vuln descriptions (f536c9d)

`v1.972.0`

Bug Fixes

handle errors from /share-results (5871079)

Features

Add support for severity threshold (6833389)

`v1.971.0`

Features

snyk-iac-test error handling (3b3fa89)

`v1.970.0`

`v1.969.0`

Features

officially support Gradle 7 scanning (314dc96)

`v1.968.0`

Features

remove support for paths outside the current working directory (5ca35c1)

`v1.967.0`

Bug Fixes

bump snyk docker plugin version golang fixes (8d55bcd), closes #3433

`v1.966.0`

Bug Fixes

bump cloud-config-parser (38502ed)

`v1.965.0`

Bug Fixes

return paths for files that errrored (IaC) (d53afde)

`v1.964.0`

Features

add JSON support (4c636da)
bump snyk-iac-test version (0599c71)
improve Snyk API URL configuration (5a0bcbe)

`v1.963.0`

Bug Fixes

cli output adjustment (b8e7f65)

`v1.962.0`

Bug Fixes

typo in IaC v2 --report output (a22ab2e)

Features

container json response with app vulns (8aba337)

`v1.961.0`

Bug Fixes

move checkPaths() function out of main() (503d64c)

`v1.960.0`

Bug Fixes

fix parser error in tfplan parser (1976175)

`v1.959.0`

Bug Fixes

--experimental acceptance test (bb0665a)
isArchive() (52b63a5)
sarif output for iac (76bbfb9)

Features

download rules bundle (c86ebf2)

`v1.958.0`

Bug Fixes

bump driftctl (dae3c8e)
reduce default snyk-gradle-plugin logging (6e26bdc)

`v1.957.0`

Bug Fixes

wrong dependencyCount in support of snyk-to-html (1065dd9)

`v1.956.0`

Bug Fixes

support HTTP(S) proxies in iac-test (3ac3ad0)

`v1.955.0`

Bug Fixes

also add HTTP_PROXY environment variable (78d0602)

Features

add support for requirements.txt files with BOM encoding (d31974f)
support for unmanaged snyk-to-html (83b4f6a)

`v1.954.0`

Features

add additinal arguments ability for go projects (7c915d4)

`v1.953.0`

Features

remove gradle-accept-legacy-config-roles flag (b4164e8)

`v1.952.0`

Bug Fixes

cwd error (b17ed2c)

`v1.951.0`

Features

remove report command from snyk iac (9cd5813)

`v1.950.0`

Features

prune across Gradle dep-graph (44f75ff)

`v1.949.0`

Bug Fixes

include the custom rules warning if feature flag is not enabled (44e892b)

`v1.948.0`

Features

upgrade to [email protected] (5b66290)

`v1.947.0`

Bug Fixes

IaC issue info when impact or description are missing (e785a64)
remove warning message from iac --report (b1aee5d)

Features

improve error message for iac describe (c58b5af)

`v1.946.0`

`v1.945.0`

Features

enable TF Vars Support for all (eedd239)

`v1.944.0`

`v1.943.0`

Features

detect JARs in WARs files inside containers (2924955)

`v1.942.0`

`v1.941.0`

`v1.940.0`

Bug Fixes

maven scan all unmanaged (2c543e3)

`v1.939.0`

Features

wrap new IaC output with a new FF (12e66bf)

`v1.938.0`

Bug Fixes

maven nested module scans (9cba63a)

Features

validate custom rules (daed58e)

`v1.937.0`

Bug Fixes

remove driftctl brand in drift html output (3958fd1)

`v1.936.0`

Bug Fixes

(iac) last error does not override previous (d9e3449)

Features

unmanaged support for remote-repo-url (646c976)

`v1.935.0`

Bug Fixes

unmanaged cancelled jobs (dca7769)

`v1.934.0`

Features

include thrown errors in IaC failures section (571d3b8)

`v1.933.0`

Features

container php app scan (efbae42)

`v1.932.0`

Bug Fixes

allow endpoint to be modified when invalid (a4bc484)
CLI output styling (0e31b8e)

`v1.931.0`

Bug Fixes

ignore errors on multiple paths if there were some results (42e28c5)
use correct auth header for api requests (36211dd)

`v1.930.0`

Bug Fixes

gradle projects producing multiple jsondeps (c449cfc)

`v1.929.0`

Features

Changes to Gradle plugin:

upgrade default Node version 8 to 16 and include tests for Node, JDK and Gradle versions
lint README and config file
update PR review template

`v1.928.0`

`v1.927.0`

Features

Add progress indicator (764e0ce)
Rename Invalid Files section for IaC (1d21526)

`v1.926.0`

`v1.925.0`

Bug Fixes

git targets for variadic paths (f210f1a)
Include check for quiet option when logging (afea1b4)

Features

upgrade code client to 4.12.2 (aac7016)

`v1.924.0`

Features

update code client (6022633)

`v1.923.0`

Features

support base64 encoding (b945b0c)

`v1.922.0`

Bug Fixes

Don't create duplicated IaC projects when sharing results (041ed24)
Ensure that IaC shared results paths use forward slashes (6f548ef)
SARIF output IaC (d07b434)

`v1.921.0`

Bug Fixes

link to correct snyk fix docs (5b96c29)

`v1.920.0`

Features

bump snyk-mvn-plugin version (8e45fc6)

`v1.919.0`

Bug Fixes

add tracking of contributors in unmanaged monitoring (0a2f8ce)

`v1.918.0`

Bug Fixes

iac describe: enable --deep when using --all ([

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency snyk to v1.1064.0 [security]

c144324

Author

renovate bot commented Aug 6, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/stylelint
npm ERR!   dev stylelint@"13.13.1" from the root project
npm ERR!   peer stylelint@"11.x - 14.x" from [email protected]
npm ERR!   node_modules/stylelint-config-css-modules
npm ERR!     dev stylelint-config-css-modules@"2.3.0" from the root project
npm ERR!   2 more (stylelint-config-recommended, stylelint-config-standard)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer stylelint@">=14" from [email protected]
npm ERR! node_modules/stylelint-config-recess-order
npm ERR!   dev stylelint-config-recess-order@"3.0.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/stylelint
npm ERR!   peer stylelint@">=14" from [email protected]
npm ERR!   node_modules/stylelint-config-recess-order
npm ERR!     dev stylelint-config-recess-order@"3.0.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-08-06T08_31_46_269Z-debug-0.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet