Exploring the Data flow page

The Data flow page is designed to show you the exact location of the discovered issue in your source code, and how it flows throughout your application. This page displays the taint flow of the issue in the code, with a step-by-step visualization from the Source to the Sink, presenting the code lines of all the steps in the flow.

Note:

• Source - the input point of the potential problem. This is a point in the application where a user or an external device can enter data, which will potentially violate the application security. For example, in an SQL Injection issue, the Source will be a form or any other data input area that is filled by a user.

• Sink - the operation in the code, where the problem is executed by the application. This point needs to receive clean input, or otherwise it can be exploited. For example, in an SQL Injection issue, the Sink will be the internal operation that instructs the DB to perform certain actions according to the received input.

For example, in the following Path Traversal issue, the developer has not sanitized the input. This allows an attacker to perform a pass traversal attack in order to access any file on the file system, including sensitive data such as password files:

Note: Every issue that is discovered by Snyk Code has a data flow. If an issue has only one step, like in the case of hardcoded secrets, the Source of the issue will be displayed in the Data flow page.

The Data flow page enables you to perform the following:

• View the taint flow of an issue in your code from Source to Sink.

• Open the tainted source code in the integrated SCM.

• Share your feedback - send Snyk Code your feedback about the discovered issue using the Share Feedback button. Note: For more information, see Sharing your feedback with Snyk Code.

• Ignore the issue - ignore the open vulnerability issue using the Ignore button. Note: For more information, see Ignore issues.

Viewing the taint flow of an issue in your code

The Data flow page enables you to view the taint flow of an issue in your code from Source to Sink, including the exact code lines where the taint flow occurs.

To view the exact code lines of the taint flow, select from the left pane the required step. The corresponding code snippet will appear on the right pane:

Opening the tainted source code in the integrated SCM

To open the displayed source code on the SCM, click the file name above the right pane:

The source code appears in the integrated SCM, showing you exactly where to fix the vulnerability. Here, you can make the required fix to address the vulnerability in your code: