# Vulnerability fix types

After you have imported one or more Projects into Snyk through an integration or by scanning with the CLI, Snyk lists vulnerabilities found. To see the list, navigate to Projects, select the Target containing the Project where you want to see the vulnerabilities and select the Project to open the list of issues.

{% hint style="info" %}
The list of issues does not show any vulnerabilities that have been fixed. These are no longer considered vulnerabilities.
{% endhint %}

The sidebar on the list of issues has groups of filters. The ones referring to vulnerabilities are:

* The **Computed Fixability** filters allow you to see the vulnerabilities based on their remediation paths.
* The "**Fixed in" Available** filters allow you to see if the found vulnerabilities have a version in which they were fixed.

## Computed Fixability filters

The Computed Fixability filters include the following values:

* **Fixable:** There is a fix for all identified issues, meaning all detailed paths have remediation and the issues can be fixed by Snyk. The **Fix this vulnerability** button is available for supported ecosystems and imports.
* **Partially fixable:** The issue has upgradable paths; Snyk has found ways of upgrading the current Project. If the ecosystem is JavaScript or TypeScript using the npm or Yarn package manager, and one but not all detailed paths have remediation, then the issue is Partially fixable, and the **Partially fix this vulnerability** option is available.
* **No supported fix**: The issue has no upgradable paths, or Snyk does not support Fix PRs for this Project type.

{% hint style="info" %}
For Projects imported using the CLI, or ecosystems for which Snyk Fix PRs are not supported, issues will

Snyk displays issues with **No Supported Fix** for Projects imported using the CLI or ecosystems that do not support Snyk fix PRs.

If a fix is available, you can manually update the dependencies. Depending on the package manager and dependency path, you can pin or override the dependency.
{% endhint %}

### Fixable

The **Fix this vulnerability** button is available for Snyk Open Source and Snyk Container Projects imported through SCM workflows for a JavaScript, Java, Ruby, Python, or .NET ecosystem.

{% hint style="info" %}
The **Fix this vulnerability** option is not available in CLI `monitor` workflows or for Docker Projects.
{% endhint %}

For any fixable issue in a Project where **Fix this vulnerability** is available, Snyk can open a pull request against the repository to update to a secure version of the dependency.

The **Fix this vulnerability** button on the issue card shows whether Snyk can open a pull request against your Project. Examine the issue cards to see the specifics of fixability for an issue.

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-e93c04eaf3f02867c311a85ff2f24b984ba21cca%2FFixable.png?alt=media" alt=""><figcaption><p>Example of a fixable vulnerability</p></figcaption></figure>

### Partially fixable

You can partially fix a vulnerability if you are using a JavaScript or TypeScript ecosystem and npm or Yarn as a package manager.

You can view the **Partially fixed** vulnerabilities for an issue in the Detailed paths area of an issue card.

{% hint style="info" %}
The option to partially fix vulnerabilities is available only for JavaScript and TypeScript.
{% endhint %}

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-d91e50a3452a56caccc92a849e4d0c22b0359221%2Fpartially%20fixable.png?alt=media" alt=""><figcaption><p>Example of a partially fixable vulnerability</p></figcaption></figure>

### No supported fix

If there is **No supported fix** for the vulnerabilities or license issues, then the issue cards do not show any Fix options. An upgrade path where the only changes are in transitive dependencies is considered fixable only if the package manager supports it.

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-f01541e2b140c1d40647c18426fbe4f26e6e4448%2Fno%20supported%20fix.png?alt=media" alt=""><figcaption><p>Example of a vulnerability with no supported fix</p></figcaption></figure>

## "**Fixed in" Available filters**

In the **"Fixed in" Available** filters, you can use the following values:

* **Yes**: The current version contains the vulnerability, but a new version that includes the fix is available, and you can remove the vulnerability by updating to the indicated version.
* **No**: There is no fix available for the detected vulnerability, in any of the versions.

You can view the **Fixed in** information for vulnerabilities on the issue card. This indicates the version of the package that no longer has the vulnerability.

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-6ebb40aa2b02bdeb05d0afbbe40e4b4ff63ad174%2FFixed%20in%20-%20Yes.png?alt=media" alt=""><figcaption><p>Fixed in information on an issue card</p></figcaption></figure>

### Why is `Fixed in` showing when the issue is not fixable?

A direct dependency is fixable if a fixed, that is, secure, version of the package exists anywhere in the system. However, to be fixable, transitive dependencies must have a direct dependency that can be updated to the fixed version of the transitive dependency. An example follows of a transitive dependency.

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-b834b7f9af54f9aa2d2b9a53a57af3fec4a78963%2Fproject_details_transitive_dependency_no_fix.png?alt=media" alt=""><figcaption><p>Example of a transitive dependency</p></figcaption></figure>

Under **Detailed paths,** a mention is displayed that no remediation path is available. However, the issue card shows that the vulnerability is **Fixed in** the more recent version. Snyk does not have the ability to reach the level where the vulnerability exists in this specific Project, but the vulnerability does not match the definition of No supported fix.

### Fixing transitive dependencies

{% hint style="info" %}
You cannot automatically fix transitive dependencies or open a Fix PR (see [Fix your vulnerabilities: Apply fixes](https://docs.snyk.io/scan-with-snyk/snyk-open-source/fix-your-vulnerabilities#apply-fixes)) due to their relationships with other components. To avoid breaking changes, Snyk provides only recommendations for transitive dependencies.
{% endhint %}

To fix a transitive dependency like the one in this example, follow the link to the [Snyk Vulnerability Database](https://docs.snyk.io/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-vulnerability-database):

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-57ed92b6686455a52bc4d0a3d5cc3a4d83e1ef0e%2Fproject_details_linkto_snyk_vuln_database.png?alt=media" alt="Link to Snyk Vulnerability Database for a transitive dependency"><figcaption><p>LInk to Snyk Vulnerability Database for a transitive dependency</p></figcaption></figure>

From the Snyk Vulnerability Database, you can see remediation advice for more fix information:

<figure><img src="https://2533899886-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MdwVZ6HOZriajCf5nXH%2Fuploads%2Fgit-blob-cf554741f2ca22ac4c5a44d70f38eafbef1dbe29%2Fsnyk_vuln_database_how_to_fix.png?alt=media" alt=""><figcaption><p>Snyk Vulnerability Database remediation advice</p></figcaption></figure>

### Fixing transitive dependencies through direct dependencies

If Snyk recommends using a direct dependency with the same version as the one used to fix an affected transitive dependency, you can update to a newer version of the transitive dependency by reinstalling the direct dependency.

Consider a Project that relies on `react-scripts@5.0.1`, a direct dependency that has a vulnerable component, a transitive dependency called`loader-utils@2.0.2`. Snyk recommends updating `react-scripts` to the version `5.0.1` to fix the vulnerable component. After the update, the vulnerable package `loader-utils` is still at the version `2.0.2`. This indicates that another package in the Project is preventing the upgrade to a higher version. Reinstalling the `react-scripts@5.0.1` direct dependency addresses this issue, as you can later upgrade the vulnerable component.