Snyk for C / C++
This feature is currently in Beta; contact Snyk for more details.
You can use Snyk to scan C / C++ projects.

Features

NOTE Features might not be available, depending on your subscription plan.
Package managers / Features
CLI support
Git support
License scanning
Fixing
Runtime monitoring
C/C++
✔︎

How it works

Scans are powered by an open source database, periodically updated with the latest source code from different online sources.
Currently, we use and link to the US National Vulnerability Database (NVD). In future, we plan to also integrate the Snyk Vuln DB.
When you run the snyk unmanaged test command, Snyk:
  1. 1.
    Converts all files down from your current folder into a list of hashes.
  2. 2.
    Sends the hashes to Snyk scan server.
  3. 3.
    Queries the database to find a list of potentially matching dependencies.
  4. 4.
    Links the dependencies to the known vulnerabilities.
  5. 5.
    Displays the results.
To scan the project, the dependencies must be available as source code in the scanned directory. If the dependencies are in a different location, that location must be scanned.

Constraints and limitations

The following constraints and limitations are by design. While we may work on improvements in the future, they are not considered an issue. Issues that are planned to be addressed are in the Known Issues section.
Dependencies source code needs to be available
For Snyk CLI to be able to find any dependencies in your source code, the full source code of the dependencies needs to be present in the scanned folder. The following is a typical directory structure Snyk can scan (abbreviated):
1
c-example
2
├── deps
3
│   ├── curl-7.58.0
4
│   │   ├── include
5
│   │   │   ├── Makefile.am
6
│   │   │   ├── Makefile.in
7
│   │   │   ├── README
8
│   │   │   └── curl
9
│   │   ├── install-sh
10
│   │   ├── lib
11
│   │   │   ├── asyn.h
12
│   │   │   ├── base64.c
13
│   │   │   ├── checksrc.pl
14
│   │   │   ├── config-amigaos.h
15
│   │   │   ├── conncache.c
16
│   │   │   ├── conncache.h
17
│   │   ├── src
18
│   │   │   ├── tool_binmode.c
19
│   │   │   ├── tool_binmode.h
20
│   │   │   ├── tool_bname.c
21
│   │   │   ├── tool_xattr.c
22
...
Copied!
Having a large percentage of files in their original (unchanged) form is critical to accurately identify the dependencies and so report the correct set of vulnerabilities. If you modify many of the files (or, for example, include only header files), this reduces the confidence of the scanning engine, leading to either dependencies not being identified, or being identified incorrectly (as a different version, or even a different package).

Data collection note

When you scan C++ projects, the following data is collected and may be stored for troubleshooting purposes:
Category
Description
Hashes of the scanned files
All files are converted to a list of irreversible hashes.
Full paths to scanned files
The paths to files on your local drive are included for better identification and matching.

Snyk CLI for C / C++ projects

Install the Snyk CLI

C/C++ scanning is available in Snyk CLI. See Install the CLI for details.
The minimum version of Snyk CLI with C/C++ scanning is 1.713.

Run the test

To test your project for vulnerabilities, run:
1
$ snyk unmanaged test
Copied!
If you scan a Linux project on Windows, make sure the repository is cloned with Linux line endings. See the Known Issues section for more details.

Displaying dependencies

To display dependencies, use the --print-deps command:
1
$ snyk unmanaged test --print-deps
2
3
Dependencies:
4
5
cpython|https://github.com/python/cpython/archive/[email protected]
6
confidence: 1.000
7
8
zip|http://ftp.debian.org/debian/pool/main/z/zip/[email protected]
9
confidence: 0.993
Copied!
To learn what files contributed to each dependency being identified, use the --print-dep-paths argument:
1
$ snyk unmanaged test --print-dep-paths
2
3
Dependencies:
4
5
curl|https://github.com/curl/curl/releases/download/curl-7_58_0/[email protected]
6
confidence: 1.000
7
matching files:
8
- c-example/deps/curl-7.58.0/CHANGES
9
- c-example/deps/curl-7.58.0/CMake/CMakeConfigurableFile.in
10
- c-example/deps/curl-7.58.0/CMake/CurlSymbolHiding.cmake
11
... and 2857 more files
Copied!

Understanding the confidence level

You may need to change the source code of the dependencies that you use in your software. As Snyk uses file signatures to find the closest possible match to an open source library, your changes may decrease the accuracy of the identification of the actual library.
To learn how confident Snyk is about the identified dependency and its version, use the --print-deps or --print-dep-paths command line argument:
1
curl|https://github.com/curl/curl/releases/download/curl-7_58_0/[email protected]
2
confidence: 0.993
Copied!
This confidence level shows how confident Snyk is about the actual identification of the dependency. The number can be between 0 and 1 and the higher it is, the more accurate the identification is. So a confidence of 1 means that all the files in the source tree fully matched all the expected files in our database.

JSON output

To get a machine-readable output in JSON, use the --json argument:
1
$ snyk unmanaged test --json
2
[
3
{
4
"issues": [
5
{
6
"pkgName": "curl|https://github.com/curl/curl/releases/download/curl-7_58_0/curl-7.58.0.tar.xz",
7
"pkgVersion": "7.58.0",
8
"issueId": "CVE-2019-5481",
9
"fixInfo": {
10
"isPatchable": false,
11
"isPinnable": false
12
}
13
}
14
],
15
"issuesData": {
16
"CVE-2019-5481": {
17
"severity": "high",
18
"CVSSv3": "",
19
"originalSeverity": "high",
20
"severityWithCritical": "high",
21
"type": "vuln",
22
"alternativeIds": [
23
""
24
],
25
"creationTime": "2019-09-16T19:15:00.000Z",
26
"disclosureTime": "2019-09-16T19:15:00.000Z",
27
"modificationTime": "2020-10-20T22:15:00.000Z",
28
"publicationTime": "2019-09-16T19:15:00.000Z",
29
"credit": [
30
""
31
],
32
"id": "CVE-2019-5481",
33
"packageManager": "cpp",
34
"packageName": "curl|https://github.com/curl/curl/releases/download/curl-7_58_0/curl-7.58.0.tar.xz",
35
"language": "cpp",
36
"fixedIn": [
37
""
38
],
39
"patches": [],
40
"exploit": "No Data",
41
"functions": [
42
""
43
],
44
"semver": {
45
"vulnerable": [
46
"7.58.0"
47
],
48
"vulnerableHashes": [
49
""
50
],
51
"vulnerableByDistro": {}
52
},
53
"references": [
54
{
55
"title": "https://curl.haxx.se/docs/CVE-2019-5481.html",
56
"url": "https://curl.haxx.se/docs/CVE-2019-5481.html"
57
},
58
],
59
"internal": {},
60
"identifiers": {
61
"CVE": [
62
"CVE-2019-5481"
63
],
64
"CWE": [],
65
"ALTERNATIVE": [
66
""
67
]
68
},
69
"title": "CVE-2019-5481",
70
"description": "",
71
"license": "",
72
"proprietary": true,
73
"nearestFixedInVersion": ""
74
}
75
},
76
"fileSignaturesDetails": {
77
"curl|https://github.com/curl/curl/releases/download/curl-7_58_0/[email protected]": {
78
"filePaths": [
79
"deps/curl-7.58.0/CHANGES",
80
"c-example/deps/curl-7.58.0/CMake/CMakeConfigurableFile.in",
81
"c-example/deps/curl-7.58.0/CMake/CurlSymbolHiding.cmake"
82
],
83
"confidence": 1
84
}
85
}
86
}
87
]
Copied!

Command line options

The following snykcommand line options are supported with snyk unmanaged:

ORG_NAME

--org=ORG_NAME
Specify the ORG_NAME to run Snyk commands tied to a specific organization. This defines where new projects are created after running the monitor command, some features have availability and private tests limits. If you have multiple organizations, you can set a default from the CLI using:
1
snyk config set org=ORG_NAME
Copied!
Setting a default ensures all newly monitored projects are created under your default organization. To override the default, use the --org=ORG_NAME argument.
Default: uses the ORG_NAME set as default in your Account settings.

json

--json
Prints results in JSON format.

OUTPUT_FILE_PATH

--json-file-output=OUTPUT_FILE_PATH
(only in test command) Save test output in JSON format directly to the specified file, regardless of whether or not you use the --json option.
This is useful to display the human-readable test output via stdout and at the same time save the JSON format output to a file.
target-dir
`--target-dir <directory>`
Scan the path specified in the argument instead of the current directory.

Import scan results in Snyk App

To import the test results (issues and dependencies) in Snyk App, run the snyk unmanaged monitor command:
1
$ snyk unmanaged monitor
2
Monitoring /c-example (c-example)...
3
4
Explore this snapshot at https://app.snyk.io/org/example-org/project/8ac0e233-d0f9-403e-b422-5970e7a37443/history/5de4616d-3967-485f-bf21-bbbe91068029
5
6
Notifications about newly disclosed issues related to these dependencies will be emailed to you.
Copied!
This creates a snapshot of dependencies and vulnerabilities, and imports them in Snyk App, where you can review the issues and see them included in your reports.
Importing a project with unmanaged dependencies creates a new project in Snyk App:
Project with unmanaged dependencies
Automated regular testing and re-scanning from the Snyk App is not currently supported. To run a new scan and import its updated results, manually run the snyk unmanaged monitor command again.

Known issues

Some dependencies are not found

During the beta phase, we are using an older version of our source code database. This means that open source dependencies that are being actively developed and contain many changes to their source code may not be identified correctly, or at all.

Files in hidden directories are ignored

When scanning a directory, all files that are in a hidden directory (such as .conan or .git) are ignored. Dependencies stored in such directories will not be detected.
Scanning on Windows
Many open source projects in git use Unix line endings. By default, git on Windows converts Unix line endings to Windows line endings and only converts them back for the actual commits. Our database contains source code signatures with the original line endings (as defined in the individual projects), so when you scan on Windows, the signatures generated for the files with Windows line endings are different than the signatures in our database. In such case, it is very likely no dependencies will be found.
To scan a project with Unix line endings on Windows, disable git line endings conversion. To configure this globally, run:
1
git config --global core.autocrlf false
Copied!

Frequently asked questions

Is my source code sent to Snyk servers?

No. The files are converted to a list of hashes before they are sent for scanning.

Why did Snyk not find any dependencies?

We store the official releases of many of open source components in our database but it is possible that the source code you scanned is not there or is just simply not found. Let us know and we can help you find out what happened and potentially improve our scanning algorithms.
Here are a few things that you can check on your own:
  • The source code of the dependencies you scanned is actually available as source code (unpacked) in the folder that you scanned. If you use a package manager, such as Conan, the source code is likely to be in the Conan cache, along with the source code of other dependencies of your other projects. To scan dependencies managed by a package manager, we recommend that you do that in a clean environment (for example during a build).
  • The source code of the dependencies is not from an official release of the OSS component, and we do not have it in the database
  • The source code of the OSS has been modified too much, so Snyk cannot detect it. If there are too few files and you modify most of them, Snyk cannot match them to a component from our database. Examples of common modifications are whitespace formatting, adding license or copyright headers.
  • You are on Windows, and git converted line endings to Windows line endings. Currently we can recognize files that have retained their original line endings.
  • The source code of the OSS components is too new. Our database is refreshed regularly but it takes time for the latest releases to get processed.

What is coming next?

Our plan is to show more information on how and why certain components were detected in our source code (show files that were detected to be a part of the component) and allow you to bring the information in the App (using the snyk unmanaged monitor command) so you can see the dependencies there.
Last modified 5d ago