Snyk Code has had a tremendous 2021. It started the year supporting three languages — Java, JavaScript, and TypeScript — and has since added Python, C#, PHP, Ruby, and Go. More languages and features are on the horizon, and in this article, we’re happy to announce the addition of Swift and Salesforce’s Apex support, as well as API and GraphQL security. Let’s get into it! 

Snyk Code supports Salesforce’s Apex

Snyk Code now supports security scanning for Salesforce’s Apex language. In 2016, Salesforce announced its Lightning Experience as a general framework to build frontends in Salesforce. It uses a model-view-controller (MVC) approach idea with objects in Salesforce acting as the model, the view implemented as markup, and controllers either in JavaScript on the client or in a language called Apex on the server. 

Apex is a proprietary development language used on the Salesforce Force platform. It was developed by Parker Harris — one of the founders of Salesforce — to enable more complex business logic and handling data stored within the Salesforce platform. Apex reflects this task. As an example, as Salesforce is a multi-tenant platform, separating the runtimes of different tenants is a major concern. 

Apex shows a close relation to Java and C#, as it is a strongly typed, object-oriented, case-insensitive programming language, following a dot-notation and curly-brackets syntax. In the beginning, Apex was interpreted, but in 2012 a compiler was published. While building such a compiler was not an easy task, as Apex is tightly integrated into the Salesforce platform, it enabled better support of IDEs like Visual Studio Code.

Note: Salesforce’s Apex (Advanced Programming Experience) is not related to Oracle APEX (Oracle Application Express).

With this new support for Apex scans, Snyk Code opens a new chapter in SAST. It is extremely fast — so fast, that it scans directly in your IDE, as well as checks the effect of any fix. On top of that real-time speed, the engine can scan the whole project using the whole knowledge base – no delta, differential or incremental but a full scan. 

Snyk Code uses a unique human-guided machine learning process to build and maintain its knowledge base. It is using hundreds of thousands of projects or billions of lines of code as training sets. Learning from the collective knowledge of the global developer community. Using this process enables Snyk Code to build knowledge bases quickly and to maintain an industry-leading accuracy. And as is standard for Snyk, Snyk Code is built with the developer in mind, embedding directly into the development process. IDE plugins, PR checks, priority scores, easy to understand suggestions, examples of how others in the same situation solved the issue at hand, and more.

Note: The relationship between Salesforce and Snyk is a close one. Salesforce is a customer of Snyk, as well as an investor in Snyk. We are very grateful for the trust Salesforce put in us.

We would love to show you Snyk Code scanning Apex or any other of the supported languages like JavaScript, Java, TypeScript, C#, Python, Ruby, Go, or PHP. 

Snyk Code supports Swift

Until 2014, Apple was relying mainly on a language called Objective-C, but the language was mainly unchanged for over thirty years and lacked many modern language features. At the famous Worldwide Developer Conference 2014,  Apple announced a new language called Swift. One key message was that Swift supported the large body of existing Objective-C code. Additionally, Swift continued having several main language concepts from Objective-C such as dynamic dispatch, late binding, and extensible programming. One of the main reasons to introduce Swift is that it does this in a safer way though and it addresses some typical programming bugs, like null pointer dereference. Swift also introduces what Apple calls protocol-oriented programming — similar to interfaces or traits.

Note: Swift gained the Most Loved Programming Language award by the StackOverflow Developer Survey in 2015. It fell to number 9 on the 2020 edition — in front of JavaScript.

Since then Swift has seen some major additions, notably Apple’s version of the actor model. Also, Swift was open sourced and now sees support on other platforms like Linux and Windows. The central page for the community is https://swift.org/ where you can find all kinds of resources including supported platforms and tools. Still, if you think Swift, you probably see native mobile apps on the iOS platform in front of your inner eye as it remains the major use case for the language. While Objective-C is still used, Swift has gained popularity and it accounts now for roughly double the market share of Objective-C.

Note: Snyk Code provides plugins for IDEs. JetBrains AppCode extends Xcode and supports Snyk natively. The Visual Studio Code extension is shown below.

Snyk Code makes it extremely easy to scan your Swift applications. Just log into your Snyk account and add the repos to be scanned just by clicking on Add Project. The scan takes only a few minutes or even seconds and the details are displayed by using the original code to show the data flow, providing additional information and even examples of how others fixed this issue in a similar situation.

API security

APIs are an essential element of the overwhelming majority of applications today. In cloud applications, JSON-based APIs called REST APIs gained popularity as they are very easy to set up and consume. In recent years, further development regarding the REST APIs took place which led to GraphQL. Something that we have to talk about later.

To build or consume APIs, often JavaScript or TypeScript is used and there are a variety of libraries available to build APIs. But with great freedom comes great responsibility. And APIs are no exception. APIs are prone to some specific attacks.

Note: A great source to learn more on API security is the OWASP API Top 10 .

Snyk Code added rules to identify and signal typical API issues. Additionally, a fix suggestion is then overlaid on the original source code with additional help in the form of examples of how others fixed the same issue in a similar situation. Let’s look at an example.

Typically, REST APIs provide access to individual data objects by using a selective URL. For example [Your URL]/api/v1/notes/345 would select the note 345. To find out which elements are available to you, you can call a list service that would provide you with available IDs. If these IDs are now easy to guess and no check of the user or role of the user is done, an attacker could simply send in the request for a specific guessed ID and get the data delivered. This is called an insecure direct object reference (IDOR). Snyk Code provides coverage for this and similar issues, using a completely novel approach for static application security testing (SAST) to sense these types of issues. Not only will it inform the developer about possible issues, but it also helps to remedy those. Sometimes simply setting a flag within the library is the answer. 

In summary, OWASP perceives API security as a major area of concern. Snyk Code addresses, with a unique approach, API security and pushes the limits of the SAST industry. And there is more…

GraphQL security

REST APIs saw major development in the past few years. Led by Facebook, a protocol called GraphQL has been developed. The critique on traditional REST APIs is that it takes several calls to the API to gather all data points for an object (first, the list function to gain the instance ID, then maybe several calls to collect all aspects of the instance) while with GraphQL these calls can be stacked into one. This means less overhead.

Snyk Code is the very first in the market to support GraphQL. The Snyk Code team researched possible security issues, added rules, and refined them using the unique human-guided process and open source repositories as training data. Again, Snyk Code took advantage of the knowledge of the global developer community to learn and improve.  A large number of applications using GraphQL are written in JavaScript or TypeScript by using graphql-express, koa-graphql, mercurius, ApolloServer and graphql-js. These are now covered by Snyk Code.

Let me give just two examples of issue types that Snyk Code is able to find within GraphQL. First, a typical default for GraphQL libraries is to allow a rather deep nesting of requests. We are talking of hundreds of thousands of layers deep. In reality, it is seldomly used but leads to the issue that an attacker could query the system using such a deep query, causing the library to use massive amounts of memory and other system resources to generate internal objects dealing with these requests, leading to a resource depletion or even a crash of the system. The result is a denial of service attack. Snyk Code checks if the libraries were configured to truncate requests and therefore prevent these types of attacks.

Secondly, GraphQL allows the API user to query a GraphQL server for information about the underlying schema through the introspection feature. While this might be what is intended for a public facing API, you might not want to disclose this kind of information for an internal API. This prevents attackers from learning the capabilities of API by inspecting it. While this might not prevent someone that has already reached your internal perimeters from hacking, it makes their lives harder and slows them down significantly. In this case, Snyk Code warns you that introspection is enabled and makes you aware to force a deliberate decision. 

Note: OWASP published a GraphQL cheat sheet that lists the mentioned and more possible issues of GraphQL APIs.

These are just two (not too technical) examples. With GraphQL support, Snyk Code leads the industry into formerly uncharted territory. At Snyk, we saw the adoption of GraphQL and wanted to be the right partner providing an embedded developer-friendly security right from the start. Snyk Code provided us with a versatile and fast platform to lead the industry in supporting CodeQL.

Wrapping up

To recap, here is the list of announcements relating Snyk Code:

• Support for Salesforce’s Apex 
• Support for Swift
• Support for REST API security
• Support for GraphQL security 

These are major additions to the Snyk Code engine and as we are working closely with our customers to build a solution that fits your needs, we would love to show what Snyk Code and the other elements of the Snyk platform can do for you. Take half an hour of your busy schedule and book a demo to experience the live product and get all your question answered.