Application vulnerability in Snyk Container and Snyk Open Source

Snyk Container can detect application vulnerabilities in your container, which seems to overlap Snyk Open Source capabilities. In theory, the results from the Snyk Container application vulnerability feature and Snyk Open Source should be the same, especially if Snyk is building a dependency graph from the same manifest files. In practice, however, the results would vary significantly from ecosystem to ecosystem and depending on how the developer builds the application. An application in the container is a compiled application, so in some ecosystems, Snyk Open Source is able to access a more detailed manifest that results in building a more accurate dependency graph.
  • golang projects for Snyk Containers: Snyk does not have access to the list of dependencies as in Snyk Open Source. Thus Snyk Container reverse parses binaries, and the result differs slightly from Snyk Open Source.
  • npm packages as Snyk Containers: Snyk can have access to the list of dependencies. The result should be the same as in Snyk Open Source.
  • java applications for Snyk Containers: The result will be different because, in Open Source, it is possible to include unmanaged jars as explained in Scan all unmanaged jar files. In Container. the scan traverses all the jars Snyk found in the image, as stated in Detecting application vulnerabilities in container images. Additionally, there are multiple ways to build a jar, and this is affects Snyk Container in finding the dependencies.
© 2022 Snyk Limited