.netazure-pipelinessnyk

Using Snyk Build Task in Azure DevOps Pipeline Error for .Net 8 Project


I am using Snyk Security Scan Task in Azure DevOps Pipeline for .Net 8 Project but I am getting the following error:

          Starting: SnykSecurityScan
        ==============================================================================
        Task         : Snyk Security Scan
        Description  : Azure Pipelines Task for Snyk
        Version      : 1.7.1
        Author       : Snyk
        Help         : 
        ==============================================================================
        Getting Snyk download info for platform: 0 version: stable
        Downloading executable to: C:\agent\_work\_temp\snyk-win.exe
        Downloading: snyk-win.exe from: https://downloads.snyk.io/cli/stable/snyk-win.exe?utm_source=AZURE_PIPELINES
        Download connection closed for https://downloads.snyk.io/cli/stable/snyk-win.exe?utm_source=AZURE_PIPELINES
        File.close snyk-win.exe saved to C:\agent\_work\_temp\snyk-win.exe
        Download successful for snyk-win.exe
        Downloading executable to: C:\agent\_work\_temp\snyk-to-html-win.exe
        Downloading: snyk-to-html-win.exe from: https://downloads.snyk.io/snyk-to-html/latest/snyk-to-html-win.exe?utm_source=AZURE_PIPELINES
        Download connection closed for https://downloads.snyk.io/snyk-to-html/latest/snyk-to-html-win.exe?utm_source=AZURE_PIPELINES
        File.close snyk-to-html-win.exe saved to C:\agent\_work\_temp\snyk-to-html-win.exe
        Download successful for snyk-to-html-win.exe
        project name contains space
        C:\agent\_work\_temp\snyk-win.exe test --severity-threshold=low --org=myOrg "--project-name=\"Project Name\"" --json-file-output=C:\agent\_work\_temp\report-2024-11-20T15-06-37.json

        Testing C:\agent\_work\8\s...

        Could not detect supported target files in C:\agent\_work\8\s.
        Please see our documentation for supported languages and target files: https://snyk.co/udVgQ and make sure you are in the right directory.



        **********************************
        ** Snyk task will fail pipeline **
        **************************************

        failing task because `snyk` was improperly used or had other errors
        C:\agent\_work\_temp\report-2024-11-20T15-06-37.json does not exist... cannot attach
        C:\agent\_work\_temp\report-2024-11-20T15-06-37.html exists... attaching file
        ##[error]failing task because `snyk` was improperly used or had other errors
        Finishing: SnykSecurityScan              

We are using a self hosted build agent

Does Snyk not support .Net 8 or is there something else I'm missing? I am using the Free version of Snyk

Here is the yaml in my pipeline

- task: SnykSecurityScan@1
  inputs:
    serviceConnectionEndpoint: 'Snyk Connection'
    testType: 'app'
    monitorWhen: 'always'
    failOnIssues: true
    projectName: 'Project Name'
    organization: 'myOrg'

I'm expecting the security report to get generated based on my .Net web api solution


Solution

  • Does Snyk not support .Net 8 or is there something else I'm missing?

    Yes. Snyk supports scanning .net8 project. Refer to this doc: guidance-for-snyk-for-.net

    Snyk will scan based on project.assets.json file or packages.config file -> Package folder.

    In this case, before you running the Snyk Security Scan task, you need to run dotnet restore /nuget restore to generate the required file(project.assets.json) or package folder.

    I can reproduce the same issue when using the same task definition.

    enter image description here

    To solve this issue, you can refer to the following Pipeline sample:

    steps:
    - task: DotNetCoreCLI@2
      inputs:
        command: 'build'
        projects: '**/*.csproj'
    
    - task: SnykSecurityScan@1
      inputs:
        serviceConnectionEndpoint: 'xxx'
        testType: 'app'
        monitorWhen: 'always'
        organization: 'myOrg'
        failOnIssues: true
        additionalArguments: '--all-projects'
    

    You can set the --all-projects argument and Remove the projectName field in the task. In this case, it will scan all package managers, and .sln files.

    Or you can define the targetFile field in the task to define the single scan file.

    For example:

    steps:
    - task: DotNetCoreCLI@2
      inputs:
        command: 'build'
        projects: '**/*.csproj'
    
    
    - task: SnykSecurityScan@1
      inputs:
        serviceConnectionEndpoint: 'xx'
        testType: 'app'
        targetFile: '$(build.sourcesdirectory)/.../yourpath/project.assets.json'
        monitorWhen: 'always'
        failOnIssues: true
        projectName: 'ProjectName'
        organization: 'Myorg'
     
    

    Result:

    enter image description here