Add Support for Snyk

[stevespringett]

Once Package URL is implemented by Snyk, enhance Dependency-Track to be able to support the analysis of SBoMs using Snyk as a source of vulnerability intelligence.

Snyk API access requires a paid plan (standard, pro, or enterprise)

Depends on: https://github.com/snyk/snyk/issues/210

[sahibamittal]

@stevespringett I've been working on Snyk vulnerability analysis integration upon bom upload in DT. It will act as an analyser similar to OSS index. It'll call Snyk API for every component purl scanned.

Project vulnerabilities in DT will look like:

Branch with code changes -> https://github.com/sahibamittal/dependency-track/tree/snyk-integration

[stevespringett]

Thats fantastic. Does Snyk have an API that we can use to send multiple components in a request, similar to OSS Index where we sent 100 components at a time?

[sahibamittal]

No sadly for now, this is an initial version supporting two packages (maven, npm). It now enables querying the API with purl as url encoded. Currently, there are only two endpoints:

1. List all vulnerabilities of a package by purl specification GET /packages/{purl_specification}/vulnerabilities

2. List all vulnerabilities of a package GET /vulns/{package_manager_name}/{package_name}/{package_version}

https://apidocs.snyk.io/?version=2022-04-04%7Eexperimental#get-/packages/-purl_specification-/vulnerabilities

[nscuro]

The initial implementation (#2070) will attempt to work around the missing batching functionality by distributing the analysis requests to a configurable amount of threads (fixed-size thread pool shared across analyzer instances, default size of 10). Will need to observe how well this works in production.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.