I'm running security scan with Snyk CLI for python project. Unfortunately snyk test command returns Failed to test pip project error. What am I missing, snyk test works just fine while scanning npm project ?
$ snyk test --file=requirements.txt
Failed to test pip project
I found the cause basically you need to do two things:
Make sure that packages that your project uses are installed.
Make sure that you are using correct python.
Solution
$ pip3 install -r requirements.txt
$ snyk test --file=requirements.txt --command=python3
Info
You can bypass missing python packages by passing the --allow-missing pip parameter through snyk by using the additional -- argument.
$ snyk test --file=requirements.txt --command=python3 -- --allow-missing
Docs
-- [COMPILER_OPTIONS]
Pass extra arguments directly to Gradle or Maven. E.g. snyk test
-- --build-cache
Python options
--command=COMMAND
Indicate which specific Python commands to use based on Python
version. The default is python which executes your systems de-
fault python version. Run 'python -V' to find out what version
is it. If you are using multiple Python versions, use this pa-
rameter to specify the correct Python command for execution.
Default: python Example: --command=python3
snyk monitor command will also return undefined if it is not ran with
pip3 install -r requirements.txt
snyk test --file=requirements.txt --command=python3
snyk monitor --file=requirements.txt --command=python3
If you are using Snyk and VScode, and you open a repo that has a Python VirtualEnv, you can get this error in your VScode terminal window.
[Error] Open Source Security test failed for "/home/{user}/path/to/repo". Failed to test pip project
Fix for VScode:
Close that VScode window.
From a terminal, navigate to the top folder of that repo.
Run the command to activate the virtual env
Example: . .venv/bin/activate
Open VScode for that folder
Example: run code .
The Snyk Open Source Security test should run without that error now.
If you are using virtual environments, then make sure you have activated the venv with
. venv/Scripts/activate
Then try running Snyk Test again.
Snyk monitor and other cli commands should work from that! :)
Related
I'm exploring snyk for some vulnerability detection in our repos.
A repo usually contains:
Dockerfile
IaC (CloudFormation)
package.json and dependencies (or Pipfile in Python).
Now I run the following commands:
$ snyk iac test --severity-threshold=high --report --target-name=company/app
$ snyk test --project-name=company/app
$ snyk container test --project-name=company/app --severity-threshold=hight <some-image> --policy-path=.snyk
This works fine, but only the snyk iac test generates a report which is uploaded in snyk.io. Is there a way to do this for the other tests?
I was thinking to enable the monitoring after these commands e.g.
snyk monitor --project-name='company/app'
The problem here is that it suddenly uses a different "target" in snyk.io
While my IAC report is in target 'company/app', my snyk monitor report is in target /company/app.git
And when I run
snyk container monitor --project-name='company/app' <some-image>
Then the report is in a target called "some-image".
Is it possible to have everything in the same Snyk target or is this not how Snyk is supposed to work? I would prefer to have one target in which you can see the reports/monitoring for IaC, deps and Docker.
I am running below SNYK command for standard WAS application.
snyk monitor --all-projects
It is failing because there is a war-src module which contains ${project.version} tag and this version is mentioned in main pom.xml inside property tag...when i run snyk monitor command it is not picking up the version ${project.version} and throwing error.
In snyk document saw that we can pass maven options using build tool command. Whatever command mentioned below is correct? If not Please let me know how can i make use of this?
snyk monitor --all-projects -- -Dproject.version=2.1.0
Yes. You can use the double dash to pass additional arguments to Maven. The command you wrote is the correct way to pass the -Dproject.version=2.1.0 argument to Maven
I'm trying to install the Google App Engine.
I have Cloud SDK v260.0.0 and Python 2.7.9
When I run the command:
http://code.google.com/appengine/gcloud components install app-engine-python from the cmd
it gives me the error:
'http:' is not recognized as an internal or external command,
operable program or batch file.
What is going on?
I have Windows 10 and I'm running from the Directory:
C:\Users\MyName\AppData\Local\Google\Cloud SDK
Here is the Guide to install app engine for Python 2.
Since you mentioned that Python and Google Cloud SDK have been installed, you might start from step 3 to run the following command in your terminal for the gcloud component:
gcloud components install app-engine-python
As Yanan C stated you install app engine with:
gcloud components install app-engine-python
However, I had to remove the link in the beginning.
Change:
http://code.google.com/appengine/gcloud components install app-engine-python
To:
gcloud components install app-engine-python
I'n having a problem when running some npm test. The error I'm receiving is: "NaCl helper process running without a sandbox!", which is true, as I'm running the browser with the "--no-sandbox" option. I have to run this option due to the fact that the browser runs as root, and I don't have an option to run it a different user at all(it's a docker image).
Can anyone please help me to sort it out?
P.S I'm installing the browser in the following way:
RUN apt-get update
RUN apt-get install -y nodejs npm
RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add -
RUN sh -c 'echo "deb https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
RUN apt-get install -y apt-transport-https
RUN apt-get update
RUN apt-get install -y google-chrome-stable
Thanks in advance!
This error message...
NaCl helper process running without a sandbox!
...implies that you have no setuid sandbox in your system, hence the program was unable to initiate/spawn a new Browsing Context i.e. Chrome Browser session.
Solution
A quick solution will be, if you want to run Chrome and only use the namespace sandbox, you can set the flag:
--disable-setuid-sandbox
This flag will disable the setuid sandbox (Linux only). But if you do so on a host without appropriate kernel support for the namespace sandbox, Chrome will not spin up. As an alternative you can also use the flag:
--no-sandbox
This flag will disable the sandbox for all process types that are normally sandboxed.
Example:
chromeOptions: {
args: ['--disable-setuid-sandbox', '--no-sandbox']
},
You can find a detailed discussion in Security Considerations - ChromeDriver - Webdriver for Chrome
Deep dive
As per the documentation in Linux SUID Sandbox Development google-chrome needs a SUID helper binary to turn on the sandbox on Linux. In majority of the cases you can install the proper sandbox for you using the command:
build/update-linux-sandbox.sh
This program will install the proper sandbox for you in /usr/local/sbin and tell you to update your .bashrc if required.
However, there can be some exceptions as an example, if your setuid binary is out of date, you will get messages such as:
Running without the SUID sandbox!
Or
The setuid sandbox provides API version X, but you need Y
You are using a wrong version of the setuid binary!
In these cases, you need to:
Build chrome_sandbox whenever you build chrome (ninja -C xxx chrome chrome_sandbox instead of ninja -C xxx chrome)
After building, execute update-linux-sandbox.sh.
# needed if you build on NFS!
sudo cp out/Debug/chrome_sandbox /usr/local/sbin/chrome-devel-sandbox
sudo chown root:root /usr/local/sbin/chrome-devel-sandbox
sudo chmod 4755 /usr/local/sbin/chrome-devel-sandbox
Finally, you have to include the following line in your ~/.bashrc (or .zshenv):
export CHROME_DEVEL_SANDBOX=/usr/local/sbin/chrome-devel-sandbox
If you are using karma to run your tests, make sure you are using ChromeHeadless as the browser on karma.conf.js
I am trying to build ARM JSON template and facing a problem with custom script extension and request for your help.
This is the sample script that I am executing as a part of virtual machine extensions (Linux).
#!/usr/bin/bash
export AZURE_STORAGE_ACCOUNT="$1"
export AZURE_STORAGE_ACCESS_KEY="$2"
AZURE_STORAGE_CONTAINER="$3"
yum update -y
reboot
yum install -y epel-release
yum install -y gcc gcc-c++ kernel-devel ksh m4 sshpass nodejs npm
With this script the VM was able to install updates and reboot. However the command "yum install -y epel-release" and following commands were not executed. And also while deployment this operation hangs and timeouts.
Can you help suggest how to solve this situation using JSON ARM template or custom script extension or using any Linux workaround ?
probably powershell dsc can help you achieve that (configure certain properties to force configuration to continue after reboot), or split your configuration into 2 scripts and deploy them independently of each other, so the first script reboots the machine, and after that second script should start working as soon as the VM becomes available and waagent talk to Azure.