Snyk integration - does it need a commercial Snyk license

[nigellh]

Hi.

We were sent a Mend output that showed a significant number of vulnerabilities more than DT was showing is. (28 from Mend vs 7 from DT (NVD+Sonatype)).

On digging I can see all the missing ones appearing in the Snyk database.

I can see that DT has Snyk integration in Beta. I tried setting it up with a private Snyk key and I am getting nothing, but looking at the logs, it was showing nothing there as well. So not logging that I had even turned the Snyk analyser on.

So this is the setup.

• does it appear correct?
• do I actually need a commercial license to get it to work?
• should I see anything in the logs when I switch it on.

Anything else??? :-)

[nigellh]

Came in this morning and checking the logs it is clearly trying to run the Snyk analyser

�[36mdtrack-apiserver_1  |�[0m 2023-07-19 09:30:12,206 INFO [SnykAnalysisTask] Starting Snyk vulnerability analysis task
�[36mdtrack-apiserver_1  |�[0m 2023-07-19 09:30:12,444 ERROR [SnykAnalysisTask] HTTP Status : 401 Unauthorized
�[36mdtrack-apiserver_1  |�[0m 2023-07-19 09:30:12,444 ERROR [SnykAnalysisTask]  - Analyzer URL : https://api.snyk.io/rest/orgs/nigellh-slss/packages/pkg%3Anpm%2F%2540carbon%2Flayout%4010.9.2/issues?version=2022-11-14
�[36mdtrack-apiserver_1  |�[0m 2023-07-19 09:30:12,452 ERROR [SnykAnalysisTask] HTTP Status : 401 Unauthorized
�[36mdtrack-apiserver_1  |�[0m 2023-07-19 09:30:12,452 ERROR [SnykAnalysisTask]  - Analyzer URL : https://api.snyk.io/rest/orgs/nigellh-slss/packages/pkg%3Anpm%2F%2540babel%2Fruntime%407.17.2/issues?version=2022-11-14
�[36mdtrack-apiserver_1  |�[0m 2023-07-19 09:30:12,452 ERROR [SnykAnalysisTask] HTTP Status : 401 Unauthorized
�[36mdtrack-apiserver_1  |�[0m 2023-07-19 09:30:12,452 ERROR [SnykAnalysisTask]  - Analyzer URL : https://api.snyk.io/rest/orgs/nigellh-slss/packages/pkg%3Anpm%2F%2540carbon%2Ficons-react%4010.10.2/issues?version=2022-11-14

So guessing it is the API token? Any help gratefully received!

[nscuro]

What plan are you on? AFAICT, REST API access is only granted with the Enterprise plan.

If you're on the enterprise plan, you can test whether your token is valid / authorized to use the API here: https://apidocs.snyk.io/?version=2023-06-23%7Ebeta#auth

Additionally, there's an open issue to implement a "Test Connection" button for the Snyk integration: #2395

[nigellh]

Thanks, I did wonder if it needed the Enterprise plan. I do not have that, but will check my token against the link you have sent. Much appreciated.

[nscuro]

Glad I could help. I will add a note about this to the docs and the frontend, indeed it is not straightforward to figure out.