Snyk for Bazel
Snyk supports testing projects that have their dependencies managed by Bazel. Support is available via the Snyk API.
Snyk API docs live at https://snyk.docs.apiary.io/
Feature availability The Snyk API is available with Business and Enterprise plans. See pricing plans for more details.
The Dep Graph API requires additional permissions. Please contact [email protected] to request access.
The following describes how to use Snyk to test your Bazel projects.

Bazel Overview

Bazel is an open-source build and test tool similar to Make, Maven, and Gradle. It uses a human-readable, high-level build language. Bazel supports projects in multiple languages and builds outputs for multiple platforms. Bazel supports large codebases across multiple repositories, and large numbers of users
Bazel does not have dependency manifest files or lock files that package managers such as npm have. Instead, build configuration is managed in BUILD files, using Starlark, a domain specific language based on Python3.
Bazel has limited native integration with package registries such as npmjs.org or Maven Central. There are some Bazel rules that can be added to help with installing dependencies from external registries, e.g. from Maven.
However, in many cases users must manually specify their dependency information (package name, location & version), including all transitives. These can then be fetched by Bazel during builds.
Because Bazel dependencies are specified as code in BUILD files using Starlark, Snyk cannot easily discover which dependencies a project has.
The recommended approach is to test your dependencies via the Snyk Dep Graph Test API.

How it works

  1. 1.
    For each type of dependency (e.g. Maven, Cocoapods), create a Dep Graph JSON object listing all the dependency packages and versions (see below)
  2. 2.
    As part of a Bazel test rule, send this object as a POST request to the Dep Graph Test API, (along with your auth token), example curl request:
    1
    curl -X POST 'https://snyk.io/api/v1/test/dep-graph' \
    2
    -H 'Authorization: token {{your token}}' \
    3
    -H 'Content-Type: application/json; charset=utf-8' \
    4
    -d @dep-graph.json
    Copied!
  3. 3.
    Check the API response for pass/fail status and any resulting vulnerabilities

Snyk Dep Graph Test API

The Snyk Dep Graph Test API takes a generic dependency graph, and returns a report containing any relevant vulnerabilities for those dependencies.
The set of supported package managers/repository ecosystems are listed on the API documentation (at time of writing these are deb, gomodules, gradle, maven, npm, nuget, paket, pip, rpm, rubygems & cocoapods).
Any of your Bazel dependencies that are available in these ecosystems can be tested via the API.

Snyk Dep Graph JSON Syntax

The Dep Graph Test API takes a Snyk Dep Graph JSON object describing the root application, and the graph of direct and transitive dependencies.
The schema for this format is as follows:
1
export interface DepGraphData {
2
schemaVersion: string;
3
pkgManager: {
4
name: string;
5
version?: string;
6
repositories?: Array<{
7
alias: string;
8
}>;
9
};
10
pkgs: Array<{
11
id: string;
12
info: {
13
name: string;
14
version?: string;
15
};
16
}>;
17
graph: {
18
rootNodeId: string;
19
nodes: Array<{
20
nodeId: string;
21
pkgId: string;
22
info?: {
23
versionProvenance?: {
24
type: string;
25
location: string;
26
property?: {
27
name: string;
28
};
29
},
30
labels?: {
31
[key: string]: string | undefined;
32
};
33
};
34
deps: Array<{
35
nodeId: string;
36
}>;
37
}>;
38
};
39
}
Copied!
Here are some further notes on specific components in the dep graph object:
  • schemaVersion - version of the dep-graph schema, set this to 1.2.0
  • pkgManager.name - one of deb, gomodules, gradle, maven, npm, nuget, paket, pip, rpm, rubygems or cocoapods
  • pkgs - array of objects containing id, name & version of all packages in the dep-graph. Note that the id must be of the form [email protected]. List each of your dependencies in this array, including an item representing the project itself
  • graph.nodes - array of objects describing the relationships between entries in pkgs. In Bazel this is typically just the project node with all other packages defined as a flat array of direct dependencies in deps
  • graph.rootNodeId - specifies the id of the entry in graph.nodes to use as the root node of the graph. You should set this to the nodeId of the project node

Snyk Dep Graph Test API Response

The Dep Graph Test API returns a JSON object describing any issues (vulnerabilities & licences) found in the dep graph dependencies.
Here is an example response with a single vulnerability.
1
{
2
"ok": false,
3
"packageManager": "maven",
4
"issuesData": {
5
"SNYK-JAVA-CHQOSLOGBACK-30208": {
6
"CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
7
"alternativeIds": [],
8
"creationTime": "2017-03-19T14:58:38Z",
9
"credit": [
10
"Unknown"
11
],
12
"cvssScore": 9.8,
13
"description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. A configuration can be ...",
14
"disclosureTime": "2017-03-13T06:59:00Z",
15
"exploit": "Not Defined",
16
"fixedIn": [
17
"1.1.11"
18
],
19
"functions": [],
20
"id": "SNYK-JAVA-CHQOSLOGBACK-30208",
21
"identifiers": {
22
"CVE": [
23
"CVE-2017-5929"
24
],
25
"CWE": [
26
"CWE-502"
27
]
28
},
29
"language": "java",
30
"mavenModuleName": {
31
"artifactId": "logback-core",
32
"groupId": "ch.qos.logback"
33
},
34
"modificationTime": "2020-06-12T14:36:56.271247Z",
35
"moduleName": "ch.qos.logback:logback-core",
36
"packageManager": "maven",
37
"packageName": "ch.qos.logback:logback-core",
38
"patches": [],
39
"proprietary": false,
40
"publicationTime": "2017-03-21T15:30:44Z",
41
"references": [
42
{
43
"title": "GitHub Commit #1",
44
"url": "https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8"
45
},
46
{
47
"title": "GitHub Commit #2",
48
"url": "https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9"
49
},
50
{
51
"title": "Logback News",
52
"url": "https://logback.qos.ch/news.html"
53
},
54
{
55
"title": "NVD",
56
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929"
57
},
58
{
59
"title": "NVD",
60
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929/"
61
}
62
],
63
"semver": {
64
"vulnerable": [
65
"[, 1.1.11)"
66
]
67
},
68
"severity": "high",
69
"title": "Arbitrary Code Execution"
70
}
71
},
72
"issues": [
73
{
74
"pkgName": "ch.qos.logback:logback-core",
75
"pkgVersion": "1.0.13",
76
"issueId": "SNYK-JAVA-CHQOSLOGBACK-30208",
77
"fixInfo": {}
78
}
79
],
80
"org": {
81
"id": "3e5fe3fe-9181-4f0f-a231-39764485e73f",
82
"name": "stephen.elson-xnf"
83
}
84
}
Copied!
Here are some further notes on specific components in the response object:
  • ok - boolean value summarising whether Snyk found any vulnerabilities in the supplied dependencies. You can use this for a quick pass/fail test
  • issuesData - a hash of each unique vulnerability found. Each vulnerability contains many useful properties, such as title, description, identifiers, publicationTime, severity etc
  • issues - an simple array of mappings from vulnerabilities in issuesData to package. As a vulnerability may be relevant to multiple packages, this mapping is used to keep the response length as short as possible

Examples

Note See https://github.com/snyk/bazel-simple-app for a full example Bazel Java project, and corresponding Snyk Dep Graph object.
For a simple Bazel project with a single dependency on a Maven package, you may specify the dependency like this:
1
maven_jar(
2
name = "logback-core",
3
artifact = "ch.qos.logback:logback-core:1.0.13",
4
sha1 = "dc6e6ce937347bd4d990fc89f4ceb469db53e45e",
5
)
Copied!
From this you could construct the following Dep Graph JSON object:
1
{
2
"depGraph": {
3
"schemaVersion": "1.2.0",
4
"pkgManager": {
5
"name": "maven"
6
},
7
"pkgs": [
8
{
10
"info": {
11
"name": "app",
12
"version": "1.0.0"
13
}
14
},
15
{
16
"id": "ch.qos.logback:[email protected]",
17
"info": {
18
"name": "ch.qos.logback:logback-core",
19
"version": "1.0.13"
20
}
21
}
22
],
23
"graph": {
24
"rootNodeId": "root-node",
25
"nodes": [
26
{
27
"nodeId": "root-node",
28
"pkgId": "[email protected]",
29
"deps": [
30
{
31
"nodeId": "ch.qos.logback:[email protected]"
32
}
33
]
34
},
35
{
36
"nodeId": "ch.qos.logback:[email protected]",
37
"pkgId": "ch.qos.logback:[email protected]",
38
"deps": []
39
}
40
]
41
}
42
}
43
}
Copied!
This particular package (ch.qos.logback:[email protected]) contains a vulnerability, described in detail in the resulting JSON response object.
Last modified 26d ago