Safeguard
Tag

open-source-security

Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.

341 articles

Open Source Security

How Snyk Open Source scans Go modules and resolves the Go...

How Snyk Open Source reads go.mod/go.sum, builds the Go module dependency graph, and uses Minimal Version Selection to identify vulnerable versions.

Aug 29, 20257 min read
Open Source Security

How Snyk Open Source analyzes Cargo.lock for Rust depende...

How Snyk Open Source parses Cargo.lock, matches resolved crate versions against RustSec advisories, and handles Rust workspaces -- a mechanical breakdown of its documented approach.

Aug 29, 20257 min read
Open Source Security

Why Snyk's vulnerability database often reports issues be...

NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.

Aug 28, 20257 min read
Open Source Security

How Snyk's Fix PRs mechanically differ from Upgrade PRs a...

Snyk's Upgrade, Fix, and Backlog PRs aren't interchangeable — each changes different files and carries different CI risk. Here's the mechanical breakdown.

Aug 28, 20258 min read
Open Source Security

How Snyk decides whether an automatic PR proposes a minor...

A mechanical walkthrough of the semver logic behind Snyk's automatic fix PRs — how it picks target versions and decides between patch, minor, and major bumps.

Aug 28, 20257 min read
Open Source Security

How Snyk patches remediate vulnerabilities that have no a...

How Snyk's patch feature applies targeted code-level diffs to fix vulnerabilities directly in dependencies when no clean upgrade path exists.

Aug 27, 20257 min read
Open Source Security

How snyk monitor creates and tracks a point-in-time proje...

A technical walkthrough of how `snyk monitor` builds a dependency snapshot, stores it as a Project, and re-checks it against new CVEs after the fact.

Aug 27, 20257 min read
Open Source Security

How Snyk calculates direct versus transitive dependency v...

Snyk splits vulnerability exposure into direct and transitive dependencies using lockfile graphs, CVE version-range matching, and path-level reachability analysis.

Aug 27, 20257 min read
Open Source Security

How Snyk's reachability analysis determines whether vulne...

A technical walkthrough of how Snyk's reachability analysis builds static call graphs to determine whether vulnerable dependency functions are actually invoked by your code.

Aug 26, 20257 min read
Concepts

What Is a Transitive Dependency?

A transitive dependency is code you never chose but still ship, pulled in by the libraries you did choose. Here is why indirect dependencies dominate your attack surface.

Aug 26, 20255 min read
Open Source Security

How reachability analysis coverage differs across Java, J...

Snyk's reachability analysis works differently across Java, JavaScript, and Python — here's why static, typed Java gets deeper coverage than dynamic Python and JS call graphs.

Aug 26, 20257 min read
Open Source Security

How the Snyk Priority Score algorithm blends CVSS, exploi...

How Snyk's Priority Score blends CVSS severity, exploit maturity, and reachability analysis into a single 1-1000 vulnerability ranking score.

Aug 26, 20257 min read
open-source-security (Page 22) — Safeguard Blog