OS condition

Some vulnerabilities have specific constraints that must be met for the problem to be exploitable. One such constraint is the operating system. Some vulnerabilities are exploitable only when the affected package is executing on a specific operating system, for example, Windows. Snyk is able to compare the vulnerability condition specified in the package with the operating system used by the runtime environment executing the package.

Vulnerability OS conditions and risk factors

If the vulnerability condition matches the operating system used by the runtime environment or if there is no condition, meaning that the vulnerability applies to all operating systems, the OS Condition risk factor is generated.

When an image is scanned by Snyk Container, the information about which operating system the base of the image is running on is exposed. Therefore, whenever Insights is able to determine that a package is a dependency of the image or that the package has been included in the image, it compares the vulnerability information with the image specification. The same applies to problems identified directly in the image entity.

Technical details for Insights OS condition risk factor

Every hour, the data pipeline takes a snapshot of all Snyk Projects and data sources and extrapolates packages and images. This snapshot is used to determine which images and packages are known to Snyk for any given customer.

Snyk Project tags are used to enable the customer to relate image assets to packages. This information is extracted from the hourly data snapshot, and a basic composition graph is generated between images and packages.

The data pipeline looks at all the issues reported for the package and image and attempts to map the vulnerability condition between the entities.