Best practices for C/C++ | Snyk User Docs (2024)

Use this guide to apply Snyk effectively in your technology stack.

Language and package manager considerations

Code analysis

  • Snyk does not compile or require a build to perform analysis.

  • Snyk Code analyzes source code directly.

  • If you precompile components, make the source available during the scan.

Open source and licensing

In the case of package managers like npm or maven, it traditionally uses the managed open source capabilities of snyk test and snyk monitor. In the case of C/C++, Snyk supports unmanaged dependencies by adding --unmanaged.

Snyk does not hook into a build nor rely on a build to perform scanning. Snyk performs analysis from source code.

  • Open Source source code must be present.

  • Snyk fingerprints files and compares them to the Snyk database to identify packages, versions, licenses, and vulnerabilities.

Snyk Integrations and common usage patterns

See Also
C/C++ | Snyk User DocsMemory Safe Programming Languages to LearnWhat is Scrum? [+ How to Start] | AtlassianLearn C++ from scratch: The complete guide for beginners

IDE

With Snyk Code

No additional options are required. The Snyk plugin has views within the IDE for displaying results.

With Snyk Open Source

Under Additional Parameters in the IDE settings, enter the --unmanaged option to scan for C/C++ open source dependencies.

CLI Tips and tricks

🔗 CLI cheat sheet

What to test

Use the --help option in the CLI for details of Snyk CLI commands.

🔗 CLI commands and options summary

Codebase

Snyk does not rely on a build to perform analysis. Only the source code is required.

Open the directory of the source code in the terminal and run the following command:

snyk code test

If you precompile components, the source code should still be present to get the best results and coverage.

For reporting, you can generate reports using the snyk-to-html plugin to generate reporting artifacts. Additionally, there are JSON and SARIF export capabilities for programmatic access to results, using --json and --sarif, respectively. See Exporting the test results to a JSON or SARIF file.

Open Source libraries

For C/C++ open source, use the --unmanaged option to analyze license compliance issues and known security issues associated with open source. See Snyk for C/C++ for details.

  • To test, make sure the open source source code is present, and it may be placed in a vendor folder.

  • If you precompile open source, the open source code must still be present. For Snyk to make an accurate comparison with its existing knowledge base, the open source code must remain present.

snyk test --unmanaged

Similarly, for monitoring and sharing reporting:

snyk monitor --unmanaged --org=<org-id>

Where org-id is found under your Organization settings in the Snyk web interface, although the Organization id is not required, it's strongly suggested. Like Snyk Code, you can generate reports using the snyk-to-html plugin to generate reporting artifacts.

  • For individual or personal scans, use the CLI or IDE and use the snyk monitor --unmanaged command to upload results, but the recommendation is you send these results to your personal folder and disable the scheduled scanning in the Project settings to ensure an individual scan does not cause noise. This provides license/policy information in a viewable state.

  • For automated scans, such as CI/CD, use snyk monitor --unmanaged and send results to the Organization of your choice. This provides license/policy information in a viewable state.

Dependency lists

Use --print-deps when performing open source scans to obtain a detailed list of discovered dependencies in your codebase and their origin source.

In C/C++, this has the additional benefit of identifying the confidence level of a given match. If there is a significant drop (< 90% confidence), it's likely the file has been modified and may not be the original source. Consider investigating if that's the case.

snyk test --unmanaged --print-deps

The list is printed before the issues list, as shown below:

Best practices for C/C++ | Snyk User Docs (1)

License policy text during the Beta phase

License Compliance allows a company to create a license policy for your Open Source, indicating what licenses are not approved for use. To access License Compliance, you must be on a Snyk Team or Enterprise plan. Snyk detects and alerts when a match is found. The alert contains the name of the license and license policy text.

License policy text is the text associated with the issue by your administrators that provides custom direction on what to do or why it's contrary to the policy, if it's found in your application.

Below, you can see the license policy text example at the bottom of the screen, giving you directions on what to do if the license is found.

Alternate testing options

If you develop advanced dependency management strategies, you might not use the standard/well-traveled package managers. For that reason, Snyk has provided test APIs. In the case of C++, if you know the OS packages/versions that are included in the application but don't have the source code, the purl API can be used to do this analysis.

🔗 PURL See Purl issues

Options and plugins

  • To help generate reports locally or at build time, see snyk-to-html plugin.

  • See --json and --sarif options for generating output that can be programmatically accessed.

  • For advanced filtering options, see snyk-filter.

Best practices for C/C++ | Snyk User Docs (2024)

References

Top Articles
Creamy Broccoli Apple Salad Recipe with Walnuts
Easy Greek Seasoning Recipe - Evolving Table
FLOORING FLOORS FLOOR CARPET VINYL Plank. TILE LAMINATE INSTALLATION - skilled trade services - craigslist
Cars For Sale By Owner For Sale in New Bedford, MA
Beste Berk Ifsa
Violent Night Showtimes Near Emagine Portage
Zillow Sd
Craigslist In Washington Dc | MercadoLibre 📦
Best horror movies of 2024 to stream on Netflix, Max, Hulu, Shudder and more
Watch ""OFFICIAL"" Inside Out 2 (2024) Online For Free At FullMovie English Sub
Grattan on Friday: the Assange light and sound show overshadows Albanese government’s problems
The Assange light and sound show overshadows government problems but it can't last
Latest Posts
20 Healthy Easy Dinner Recipes
No Bake Brownie Bites - 3 Ingredient, Easy Recipe!
Article information

Author: Tuan Roob DDS

Last Updated:

Views: 5836

Rating: 4.1 / 5 (42 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Tuan Roob DDS

Birthday: 1999-11-20

Address: Suite 592 642 Pfannerstill Island, South Keila, LA 74970-3076

Phone: +9617721773649

Job: Marketing Producer

Hobby: Skydiving, Flag Football, Knitting, Running, Lego building, Hunting, Juggling

Introduction: My name is Tuan Roob DDS, I am a friendly, good, energetic, faithful, fantastic, gentle, enchanting person who loves writing and wants to share my knowledge and understanding with you.