Breakdown of Code analysis
When you import repositories, Snyk Code automatically tests for vulnerabilities within the imported code. The vulnerabilities detected across all files in a single repository are compiled into a Snyk Project, labeled as Code Analysis. Code Analysis presents the test outcome for a specific repository, listing all discovered vulnerabilities in the repository's source code.
Code analysis components
This table summarises the elements of a Code analysis Project.
Data flow
Data flow shows the location of the discovered issue in your source code and how it flows throughout your application. It shows the taint flow of the issue in the code, with a step-by-step visualization from the source to the sink, presenting the code lines of all the steps in the flow.
The source is the input point of the potential problem. This is a point in the application where a user or an external device can enter data, which will potentially violate the security of the application. For example, in an SQL Injection issue, the source will be a form or any other data input area filled by a user.
The sink is the operation in the code where the application executes the problem. This point must receive clean input, or it can be exploited. For example, in an SQL Injection issue, the sink will be the internal operation that instructs the DB to perform certain actions according to the received input.
Every issue discovered by Snyk Code has a data flow. If an issue has only one step, for example, in the case of hardcoded secrets, the source of the issue will be displayed on the Data flow page.
View Data flow
Log in to the Snyk Web UI and select your Group and Organization.
Navigate to the Projects and select the Target folder containing your repository's Projects.
Open Code analysis Project.
Select a vulnerability issue and navigate to Full details > Data flow.
As part of the Data flow analysis, you can take the following actions:
View the taint flow of an issue in your code from source to sink. See Data flow analysis example.
Ignore the open vulnerability issue using the Ignore button. See Ignore issues.
Data flow analysis example
In the following Path Traversal issue, the developer has not sanitized the input. This allows an attacker to perform a pass traversal attack to access any file in the file system, including sensitive data such as password files.
Open Data flow external link
To open the displayed source code on the Git repository, select the file name above the right panel. In this example, the file name is routes/profileImageUrlUpload.ts.
The source code appears in the integrated Git repository, showing you exactly where to fix the vulnerability. You can make the required fix to address the vulnerability in your code.
Fix analysis
Fix analysis helps you fix the vulnerability issue discovered in your code. It provides details about the vulnerability type discovered, any available best practices for preventing this issue, and code examples of fixes from the global open-source community.
To explore in-depth details about the specific vulnerability identified, you can open the CWE link to understand more about the vulnerability type. See CWE-22 and CWE-601 examples.
Some vulnerabilities contain links to interactive lessons on understanding, fixing, and preventing vulnerability. See Snyk Learn.
View Fix analysis
Log in to the Snyk Web UI and select your Group and Organization.
Navigate to the Projects and select the Target folder containing your repository's Projects.
Open Code analysis Project.
Select a vulnerability issue and navigate to Full details > Fix analysis.
As part of the Fix analysis, you can take the following actions:
View the discovered issue and ways to prevent it.
Examine fix examples from the global open-source community by reviewing and browsing through code samples.
View the code diff of the fix example that appears in the integrated Git repository, showing you how this vulnerability was fixed. See Open Fix analysis external link in the integrated Git repository.
Ignore the open vulnerability issue using the Ignore button. See Ignore issues.
The Fix analysis page enables you to do the following:
Open Fix analysis external link
To open the code fix for the vulnerability on the Git repository, select the git repository above the right panel. This will show you the differences in the Git repository code that address the issue. In this example, the Git repository name is NodeBB.
The fix appears in the Git repository, showing you exactly where to fix the vulnerability. You can make the required fix to address the vulnerability.
Severity score factors
Snyk Code reports issues by severity levels: High, Medium, and Low. Snyk Code currently does not use the Critical severity level. The severity score is based on the following factors:
Qualities intrinsic to a vulnerability
Evolution of vulnerability over a lifetime
Exceptions
If a vulnerability is detected in code, filename, or folder with the word test, it is deemed a low-severity vulnerability. This applies to all languages. The severity of CWEs may change depending on the environment.
Priority score factors
Use the Priority Score to filter and prioritize discovered issues based on their importance, risk, frequency, and availability of a Fix analysis.
A Priority Score for each issue can be between 0 and 1,000, which changes automatically if one of its factors changes. For example, if the Severity Level of an issue has increased or decreased, the Priority Score of the issue changes accordingly.
You can filter issues in the Code analysis Project by Priority Score using the PRIORITY SCORE slider to set the range of the scores you want to display (see View issues by Priority Score).
Quantitative factors
Severity scores from other SAST products where information is publicly available
Severity scores from identifying similar vulnerabilities in the Snyk Vulnerability database
Qualitative factors
The severity of source, direct versus indirect
Prevalence and impact of the sink
Security team experience and research
Customer feedback
Example: CWE-22: Path Traversal
For CWE-22 Path Traversal, if the vulnerability occurs in a test, it is Low severity. If not, and it comes from a direct source, it is High severity. Otherwise, it is Low severity.
Example: CWE-601: Open Redirect
For CWE-2601 Open Redirect, if the vulnerability occurs in a test, it is Low severity. If not, and it comes from a direct source, it is Medium severity.
What's next?
Last updated
