Guidance for Snyk for C/C++
This page reviews considerations about languages and package managers; to help you apply Snyk effectively in your technology stack.
Code analysis
Snyk does not compile or require a build to perform analysis.
Snyk Code analyzes source code directly.
If you precompile components, make the source available during the scan.
Open source and licensing
In the case of package managers like npm or maven, it traditionally uses the managed open source capabilities of snyk test
and snyk monitor
. In the case of C/C++, Snyk supports unmanaged dependencies by adding --unmanaged
.
Snyk does not hook into a build nor rely on a build to perform scanning. Snyk performs analysis from source code.
Open Source source code must be present.
Snyk fingerprints files and compares them to the Snyk database to identify packages, versions, licenses, and vulnerabilities.
Snyk Integrations and common usage patterns
IDE
With Snyk Code
No additional options are required. The Snyk plugin has views within the IDE for displaying results.
With Snyk Open Source
Under Additional Parameters in the IDE settings, enter the --unmanaged
option to scan for C/C++ open source dependencies.
CLI Tips and tricks
What to test
Use the --help
option in the CLI for details of Snyk CLI commands.
Codebase
Snyk does not rely on a build to perform analysis. Only the source code is required.
Open the directory of the source code in the terminal and run the following command:
If you precompile components, the source code should still be present to get the best results and coverage.
For reporting, you can generate reports using the snyk-to-html plugin to generate reporting artifacts. Additionally, there are JSON and SARIF export capabilities for programmatic access to results, using --json and --sarif, respectively. See Exporting the test results to a JSON or SARIF file.
Open Source libraries
For C/C++ open source, use the --unmanaged option to analyze license compliance issues and known security issues associated with open source. See Snyk for C/C++ for details.
To test, make sure the open source source code is present, and it may be placed in a vendor folder.
If you precompile open source, the open source code must still be present. For Snyk to make an accurate comparison with its existing knowledge base, the open source code must remain present.
Similarly, for monitoring and sharing reporting:
Where org-id is found under your Organization settings in the Snyk web interface, although the Organization id is not required, it's strongly suggested. Like Snyk Code, you can generate reports using the snyk-to-html plugin to generate reporting artifacts.
For individual or personal scans, use the CLI or IDE and use the snyk monitor --unmanaged command to upload results, but the recommendation is you send these results to your personal folder and disable the scheduled scanning in the Project settings to ensure an individual scan does not cause noise. This provides license/policy information in a viewable state.
For automated scans, such as CI/CD, use snyk monitor --unmanaged and send results to the Organization of your choice. This provides license/policy information in a viewable state.
Dependency lists
Use --print-deps when performing open source scans to obtain a detailed list of discovered dependencies in your codebase and their origin source.
In C/C++, this has the additional benefit of identifying the confidence level of a given match. If there is a significant drop (< 90% confidence), it's likely the file has been modified and may not be the original source. Consider investigating if that's the case.
The list is printed before the issues list, as shown below:
License policy text during the Beta phase
License Compliance allows a company to create a license policy for your Open Source, indicating what licenses are not approved for use. To access License Compliance, you must be on a Snyk Team or Enterprise plan. Snyk detects and alerts when a match is found. The alert contains the name of the license and license policy text.
License policy text is the text associated with the issue by your administrators that provides custom direction on what to do or why it's contrary to the policy, if it's found in your application.
The following shows the license policy text example at the bottom of the screen, giving you directions on what to do if the license is found.
Alternate testing options
If you develop advanced dependency management strategies, you might not use the standard and frequently used package managers. For that reason, Snyk has provided test APIs. In the case of C++, if you know the open-source packages and versions that are included in the application but do not have the source code, you can use the endpoint List issues for a package to do the analysis.
Options and plugins
To help generate reports locally or at build time, see snyk-to-html plugin.
See
--json
and--sarif
options for generating output that can be programmatically accessed.For advanced filtering options, see snyk-filter.
Last updated