Guidance for Snyk for C/C++

open-sourceThis page reviews considerations about languages and package managers, to help you apply Snyk effectively in your technology stack.

Code analysis

  • Snyk does not compile or require a build to perform analysis.

  • Snyk Code analyzes source code directly.

  • If you precompile components, make the source available during the scan.

Open source and licensing

In the case of package managers like npm or Maven, Snyk traditionally uses the managed open-source capabilities of snyk test and snyk monitor. In the case of C/C++, Snyk supports unmanaged dependencies by adding --unmanaged.

Snyk does not hook into a build nor rely on a build to perform scanning. Snyk performs analysis from source code.

  • Open Source source code must be present.

  • Snyk fingerprints files and compares them to the Snyk database to identify packages, versions, licenses, and vulnerabilities.

Snyk Integrations and common usage patterns

IDE

With Snyk Code

No additional options are required. The Snyk plugin has views within the IDE for displaying results.

With Snyk Open Source

Under Additional Parameters in the IDE settings, enter the --unmanaged option to scan for C/C++ open source dependencies.

CLI Tips and tricks

Codebase

Snyk does not rely on a build to perform analysis. Only the source code is required.

Open the directory of the source code in the terminal and run the following command:

snyk code test

If you precompile components, the source code should still be present to get the best results and coverage.

For reporting, you can generate reports using the snyk-to-html plugin to generate reporting artifacts. Additionally, there are JSON and SARIF export capabilities for programmatic access to results, using the options --json and --sarif, respectively. For more information, see Exporting the test results to a JSON or SARIF file.

Open Source libraries

For C/C++ open source, use the --unmanaged option to analyze license compliance issues and known security issues associated with open source.

snyk test --unmanaged

See Snyk for C/C++ for details.

  • To test, ensure the open source source code is present; it may be placed in a vendor folder.

  • If you precompile open source, the open source code must still be present. For Snyk to make an accurate comparison with its existing knowledge base, the open source code must remain present.

Similarly, for monitoring and sharing reporting, use the following command:

snyk monitor --unmanaged --org=<org-id>

where org-id is found under your Organization settings in the Snyk web interface, Although the Organization ID is not required, it is strongly recommended that you use it. As with Snyk Code, you can generate reports using the snyk-to-html plugin to generate reporting artifacts.

  • For individual or personal scans, use the CLI or IDE, and use the snyk monitor --unmanaged command to upload results.

    • However, Snyk recommends that you send these results to your personal folder and disable the scheduled scanning in the Project settings to ensure an individual scan does not cause noise.

    • This provides license and policy information in a viewable state.

  • For automated scans, such as CI/CD, use snyk monitor --unmanaged and send results to the Organization of your choice. This provides license and policy information in a viewable state.

Dependency lists

Use --print-deps when performing open source scans to obtain a detailed list of discovered dependencies in your codebase and their origin source.

In C/C++, this has the additional benefit of identifying the confidence level of a given match. If there is a significant drop (< 90% confidence), it is likely the file has been modified and may not be the original source. Consider investigating if that is the case.

snyk test --unmanaged --print-deps

The list is printed before the issues list, as shown in the following image:

License policy

Feature availability The License Compliance feature is available on the Snyk Team or Enterprise plan.

This feature allows a company to create a license policy for Open Source applications, indicating what licenses are not approved for use. When Snyk detects a match for a license that is not approved, Snyk sends an alert. This alert contains the name of the license and license policy text.

License policy text is associated with the license issue by your administrators. This text provides custom direction on what to do or why the license issue is contrary to the policy.

The following shows a license policy text example at the bottom of the screen, giving you directions on what to do if the license is found.

Alternate testing options

If you develop advanced dependency management strategies, you might not use the standard and frequently used package managers. For that reason, Snyk has provided test APIs. In the case of C++, if you know the open-source packages and versions that are included in the application but do not have the source code, you can use the endpoint List issues for a package to do the analysis.

Options and plugins

  • To help generate reports locally or at build time, see snyk-to-html plugin.

  • See --json and --sarif options for generating output that can be programmatically accessed.

  • For advanced filtering options, see snyk-filter.

Last updated

More information

Snyk privacy policy

© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.