Vulnerability fix types
A fixed vulnerability does not appear in scan results, as it is no longer considered a vulnerability.
Other vulnerability information can include the following:
This shows the version of the package that no longer has the vulnerability.
Compare the fixed in vulnerability card above to one where no fix is available.
%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(2).png?alt=media)
A fixable vulnerability means there is a route within the project that would bring in the secure version rather than the vulnerable version.
This means that a vulnerability can be both fixable and have a fixed in option.
The easiest way to tell if a vulnerability is fixable in the Snyk app is to look for the "fix this vulnerability" button on the vulnerability card.
F"ix this vulnerability" button
The difference here is whether it's looking at direct or transitive dependencies. For direct dependencies, this would mean that fixable is true if a fixed (or secure) version of the package exists anywhere in the system. However, this is not the case for transitive dependencies as they require a direct dependency that can be updated to the fixed (or secure) version of the transitive dependency.
The above is an example of a transitive dependency. The detailed paths section (blue outline in image above) shows that no fix path is available; however, it does show that the vulnerability is fixed in the more recent version unlike the no fix available status seen above. This means that Snyk doesn't have the ability to reach to the level that the vulnerability actually exists in this specific project.
To fix a transitive dependency such as this, click on the Vulnerability DB link:
Snyk Vulnerability DB link
Vulnerability Database remediation advice