Jenkins Snyk Task Not Finding Vulnerabilities Found via Snyk Web Scan

Question

Running Snyk from their web page against a Github repo, finds 7 High Severity issues in the pom.xml file.

I've configured Jenkins to run against the same project with the Snyk plug-in, but just get:

Snyk installation is UP-TO-DATE Testing for known issues...

/var/lib/jenkins/tools/io.snyk.jenkins.tools.SnykInstallation/synk-tool/snyk-linux test --json --severity-threshold=low Result: 0 known issues | No known vulnerabilities Remember project for continuous monitoring... /var/lib/jenkins/tools/io.snyk.jenkins.tools.SnykInstallation/synk-tool/snyk-linux monitor --json --severity-threshold=low Archiving artifacts Build step 'Invoke Snyk Security task' changed build result to SUCCESS

The Synk plug-in uses the token from the snyk.io page and is configured in Jenkins with all default values.

Answer 1

Another reason could have been the differences between CLI scans and SCM scans in Snyk, due to some variables that are not supported or private dependencies for instance. That would be discovered in CLI but not SCM if you haven't integrated with Artifactory (but in this case the number of vulns in CLI would have been higher than SCM actually)

This is an article that explains it in details https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/differences-in-vulnerability-counts-across-environments

Note that since this question, Snyk has dramatically improved the SCM accuracy for Maven, and there should hardly be a difference between SCM and CLI results.