open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
Untracked Dependencies in the Software Supply Chain
Most teams can name their direct dependencies but not the hundreds of transitive packages actually running underneath. Here's why that gap is where real supply chain attacks live.
Immature Open Source Projects as a Supply Chain Risk
xz-utils, event-stream, node-ipc: a decade of supply chain incidents traces back to one root cause — thinly maintained, single-person open source projects.
Under/Oversized Dependency Risk in Modern Applications
Oversized dependency risk and fragile single-maintainer packages both widen your software supply chain attack surface. Here's how to spot and manage both.
What Is OSV (Open Source Vulnerabilities)?
OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.
What Is Semantic Versioning?
Semantic versioning encodes the meaning of a release into its version number. Here is how MAJOR.MINOR.PATCH works and why it drives both dependency resolution and security triage.
How Snyk Container detects application-level dependencies...
A mechanical look at how Snyk Container scans image filesystems to detect npm, pip, Maven, and other application dependencies bundled inside containers.
How Snyk Container prioritizes OS package vulnerabilities...
A technical look at how Snyk Container ranks OS package vulnerabilities using exploit maturity signals, CVSS, and EPSS instead of severity alone.
How Snyk Container parses apk, deb, and rpm package datab...
How Snyk Container reads apk, dpkg, and rpm databases inside image layers to detect OS package vulnerabilities without ever running the container.
How Snyk Open Source builds a full dependency tree from p...
How Snyk Open Source turns package-lock.json and yarn.lock files into a full dependency graph to power vulnerability matching and fix advice.
How Snyk parses npm, yarn, and pnpm lockfiles differently...
How Snyk resolves exact package versions from npm, Yarn, and pnpm lockfiles — and why each format's structure demands its own parsing logic.
How Snyk resolves Maven and Gradle dependency graphs incl...
Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.
How Snyk handles Python dependency resolution across pip,...
How Snyk resolves Python dependency trees differently for pip, Poetry, and Pipenv, and what that means for vulnerability scan accuracy.