open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
How Snyk Open Source scans Go modules and resolves the Go...
How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.
How Snyk Open Source analyzes Cargo.lock for Rust depende...
How Snyk Open Source parses Cargo.lock, matches resolved crate versions against RustSec advisories, and handles Rust workspaces -- a mechanical breakdown of its documented approach.
Why Snyk's vulnerability database often reports issues be...
NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.
How Snyk's Fix PRs mechanically differ from Upgrade PRs a...
Snyk's Upgrade, Fix, and Backlog PRs aren't interchangeable — each changes different files and carries different CI risk. Here's the mechanical breakdown.
How Snyk decides whether an automatic PR proposes a minor...
A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.
How Snyk patches remediate vulnerabilities that have no a...
How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.
How snyk monitor creates and tracks a point-in-time proje...
A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.
How Snyk calculates direct versus transitive dependency v...
Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.
How Snyk's reachability analysis determines whether vulne...
A technical walkthrough of how Snyk's reachability analysis builds static call graphs to determine whether vulnerable dependency functions are actually invoked by your code.
What Is a Transitive Dependency?
A transitive dependency is code you never chose but still ship, pulled in by the libraries you did choose. Here is why indirect dependencies dominate your attack surface.
How reachability analysis coverage differs across Java, J...
Snyk's reachability analysis works differently across Java, JavaScript, and Python — here's why static, typed Java gets deeper coverage than dynamic Python and JS call graphs.
How the Snyk Priority Score algorithm blends CVSS, exploi...
How Snyk's Priority Score blends CVSS severity, exploit maturity, and reachability analysis into a single 1-1000 vulnerability ranking score.