Snyk’s wizard walks you through finding and fixing the known vulnerabilities in your project.
The wizard leverages the separate
monitor actions, supported by an interactive workflow.
To run the wizard:
- Navigate to your project folder
yarn.lock file is detected in your folder, the wizard asks you whether to treat the project as a Yarn project (the default answer), or as an npm project.
The wizard goes through multiple phases. First, it takes stock of which dependencies are locally installed, queries the snyk service for related known vulnerabilities, and asks you how you want to address each vulnerability that was found. As you answer the questions, the wizard creates a Snyk policy file, stored in a file named
.snyk, which will guide future Snyk commands.
Here are the possible remediation steps for each vulnerability:
Upgrade- if upgrading a direct dependency can fix the current vulnerability, the wizard can automatically modify your package.json file to use the newer version and uses npm or yarn to apply the changes.
Patch - Sometimes there is no direct upgrade that can address the vulnerability, or there is one but you can’t upgrade due to functional reasons (e.g. it’s a major breaking change). For such cases, the wizard lets you patch the issue (using patches the Snyk team created and maintain). This option will make the minimal modifications to your locally installed module files to fix the vulnerability. It will also update the policy to patch this issue when running snyk protect, as shown below.
Ignore - If you believe this vulnerability is not exploitable, you can set the Snyk policy to ignore this vulnerability. By default, we will ignore the vulnerability for 30 days, to avoid easily hiding a true issue. If you want to ignore it permanently, you can use the snyk ignore command, or manually edit the generated .snyk file. If neither a patch nor an upgrade are available, you can choose to ignore the issue for now, and we’ll notify you when a new patch or upgrade is available.
If more than one vulnerability is introduced via the same module, then the wizard groups them. You can upgrade, patch or ignore all of them; or if you want to see more details, you can review each vulnerability separately.
Snyk's wizard will:
* Enumerate your local dependencies and query Snyk's servers for vulnerabilities
* Guide you through fixing found vulnerabilities
* Create a .snyk policy file to guide snyk commands such as test and protect
* Remember your dependencies to alert you when new vulnerabilities are disclosed
Loading dependencies... Querying vulnerabilities database... Tested 446 dependencies for known vulnerabilities,found 8 vulnerabilities, 20 vulnerable paths. ?High severity vuln found in firstname.lastname@example.org, introduced via email@example.com - desc: ReDoS via long string of semicolons - info: <a title="Vulnerability report." href="https://snyk.io/vuln/npm:tough-cookie:20160722">https://snyk.io/vuln/npm:tough-cookie:20160722</a> - from: firstname.lastname@example.org > email@example.com > firstname.lastname@example.org > email@example.com< Upgrade ? 6 vulnerabilities introduced via firstname.lastname@example.org - info: <a title="Package test report." href="https://snyk.io/package/npm/falcor-router-demo/1.0.5">https://snyk.io/package/npm/falcor-router-demo/1.0.5</a> Remediation options (Use arrow keys) ❯ Re-install email@example.com (triggers upgrade to firstname.lastname@example.org, email@example.com) Review vulnerabilities separately Set to ignore for 30 days (updates policy) Skip</code>
Once all the issues are addressed,
snyk wizard will optionally integrate some tests and protection steps into your package.json file:
1) It can add
snyk test to the test script, which will query your local dependencies for vulnerabilities and err if found (except those you chose to ignore).
2) If you chose to patch an issue, the wizard will optionally add
snyk protect to your project as a post-install step. This is helpful if you publish this module, as it will repeatedly patch the issues specified in .
snyk every time a module is installed.
Lastly, the wizard will create the
.snyk file, modify
package.json and use npm or yarn to apply the changes. To monitor your project for new vulnerabilities, the wizard takes a snapshot of your current dependencies (similar to running
snyk monitor). You can see all the snapshots for a project on the snyk website. We'll notify you via email if you're affected by newly disclosed vulnerabilities in them, or when a previously unavailable patch or upgrade path are available.
A few things to note:
- The wizard doesn’t perform any git (or source control) actions, so be sure to add the .snyk file to your repository.
- Subsequent runs of the wizard will not show items previously ignored. To start a-fresh, run snyk wizard --ignore-policy.
- By default, both wizard and test ignore devDependencies. To test those, add the --dev flag.