Application vulnerability in Snyk Container and Snyk Open Source

Snyk Container detects application vulnerabilities in your container and overlaps Snyk Open Source capabilities. The results from the Snyk Container application vulnerability feature and Snyk Open Source are generally the same, especially if Snyk is building a dependency graph from the same manifest files. However, depending on the ecosystem and how the developer builds the application, results can vary significantly. An application in a container is a compiled application. So, in some ecosystems, Snyk Open Source can scan a more detailed manifest and thus build a more accurate dependency graph:

• golang Projects for Snyk Containers: Snyk does not have access to the list of dependencies as in Snyk Open Source. Therefore, Snyk Container reverse parses binaries, and the result differs slightly from Snyk Open Source.

• npm packages as Snyk Containers: Snyk can have access to the list of dependencies. The result is generally the same as in Snyk Open Source. Snyk container app-vuln scanning does not currently support npm-workspaces, v3 Lockfiles, or dev dependencies.

• java applications for Snyk Containers: In Open Source, it is possible to include unmanaged jars; see Scan all unmanaged jar files. Thus the result is different from Snyk Container. With Snyk Container, the scan traverses all the jars Snyk finds in the image; see Detecting application vulnerabilities in container images. In addition, there are multiple ways to build a jar, and this affects how Snyk Container finds the dependencies.