Vulnerability fix types
A fixed vulnerability does not appear in scan results, as it is no longer considered a vulnerability.
Other vulnerability information can include the following:
Fixed in version
This shows the version of the package that no longer has the vulnerability.
Compare the fixed vulnerability card above to one where no fix is available.
Fixable
A fixable vulnerability means there is a route within the Project that would bring in the secure version rather than the vulnerable version.
This means that a vulnerability can be both fixable and have a fixed in option.
The easiest way to tell if a vulnerability is fixable in the Snyk app is to look for the "fix this vulnerability" button on the vulnerability card.
Fixed is showing when the issue is not fixable
The difference here is whether it's looking at direct or transitive dependencies. For direct dependencies, this would mean that fixable is true if a fixed (or secure) version of the package exists anywhere in the system. However, this is not the case for transitive dependencies as they require a direct dependency that can be updated to the fixed (or secure) version of the transitive dependency.
The above is an example of a transitive dependency. The detailed paths section (blue outline in image above) shows that no fix path is available; however, it does show that the vulnerability is fixed in the more recent version unlike the no fix available status seen above. This means that Snyk doesn't have the ability to reach the level that the vulnerability actually exists in this specific Project.
Fixing transitive dependencies
To fix a transitive dependency such as this, click on the Vulnerability DB link:
From the Snyk Vulnerability Database, you can then see fix advice for more information:
Last updated
Was this helpful?