Understand your vulnerabilities
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
Recap You have viewed and understood scanned Projects; now you can look at the details of vulnerabilities in that Project.
First, open a target to see your Snyk Projects:
Next, select a Project in that list, to see details of the vulnerabilities found in that Project.
For example, for a Code analysis project scanned by Snyk Code:
See View project information for more details.
Now, look at the vulnerability information for each Snyk Project, provided in Issue Cards:
Again, there's a lot of information for you to understand, so take the time to understand how all of this information relates to your vulnerability, to help you decide on what fix actions to take.
For details, see Issue card information.
Snyk provides detailed resources for more information about vulnerabilities, accessible directly from the card:
Snyk Vulnerability Database: access details on a specific vulnerability.
Snyk Learn: access general information about that type of vulnerability.
For Open Source and Container vulnerabilities, click on the Snyk vulnerability Identifier (on the right of the Severity Level) to access detailed Snyk Vulnerability Database information for that vulnerability, as defined by Snyk. For example:
For this example, click on the Snyk vulnerability Identifier to see how Hibernate core and its libraries are vulnerable to SQL injection:
Click Learn about this type of vulnerability to access Snyk Learn security educational materials:
For example, see Snyk Learn SQL injection for more details about this type of vulnerability.
Some cards may not have Snyk Learn lessons available - if so, no links are presented..
The Snyk Priority Score, ranging from 0 - 1,000, is our evaluation of the seriousness of the vulnerability. The Snyk Priority Score includes CVSS (Common Vulnerability Scoring System) information, plus other factors such as attack complexity and known exploits. For example, this Hibernate vulnerability has no known exploit allowing attackers to take advantage of that vulnerability.
Other factors also affect the score. For example, SQL injections are easy to run (you just need a web browser and submit a form), so increasing the score, but it takes more work to understand and exploit the results for that attack, so decreasing the score.
For open-source library scans by Snyk Open Source, you can also access fix and dependency information in the Fixes and Dependencies tabs of your Project results.
Snyk's knowledge of the transitive dependencies in your project make it possible for Snyk to offer fix advice, in the Fixes tab:
See Fix your first vulnerability for more details.
Snyk uses the package manager of your application to build the dependency tree and display it in the Dependencies tab of the Project view:
For example, the above screenshot shows a vulnerability based on the transitive dependency qs@2.2.4, brought in from the direct dependency body-parser@ 1.9.0.
Now you understand your vulnerability information, you can decide how to fix it.
Continue with Fix your first vulnerability.
Click the file tree icon () to build the dependency tree, showing which components introduce a vulnerability. This helps you understand how the dependency was introduced to the application: