open-source-security
Safeguard articles tagged "open-source-security" — guides, analysis, and best practices for software supply chain and application security.
341 articles
How the Snyk Risk Score's 0-1000 scale is derived from CV...
How Snyk's 0-1000 Risk Score starts from the CVSS impact subscore formula, then layers in exploit maturity, social trends, and reachability data.
How Snyk Advisor's package health score weighs popularity...
Snyk Advisor scores packages 0-100 using four signals: popularity, maintenance, community, and security. Here is exactly how each one is calculated.
How Snyk detects malicious and typosquatted open-source p...
How Snyk's research team detects malicious and typosquatted open-source packages — from name-similarity heuristics to install-script analysis and source-code provenance checks.
How Snyk identifies dependency confusion attacks in priva...
A technical look at how Snyk detects dependency confusion attacks — from vulnerability database malicious-package flags to registry scoping and Advisor scoring.
How Snyk's open-source license compliance engine classifi...
How Snyk's license compliance engine groups open-source licenses and maps them to low, medium, high, and critical severity levels.
How Snyk's default license policy is structured and how t...
How Snyk structures its default license policy—severity tiers, unknown-license handling, and PR enforcement—and the concrete steps to customize it for your org.
How Snyk keeps its license classifications aligned with t...
How Snyk detects, normalizes, and categorizes open source license metadata against the SPDX License List to power its license compliance policies.
How Snyk detects deprecated or unmaintained packages befo...
A look at how Snyk Advisor scores package maintenance health and surfaces deprecated or abandoned dependencies before they turn into security incidents.
How Snyk scans NuGet and .NET project files for vulnerabl...
How Snyk resolves NuGet and .NET dependency graphs from csproj, packages.config, and project.assets.json files to find vulnerable packages.
How Snyk scans Composer/PHP and RubyGems dependency manif...
A technical look at how Snyk parses composer.json/composer.lock and Gemfile/Gemfile.lock to build dependency trees and match PHP and Ruby packages against known vulnerabilities.
How Snyk's exploit maturity rating is researched and assi...
A look at how Snyk researches and assigns exploit maturity ratings — the categories, the manual research process, and how the label shapes vulnerability prioritization.
How Snyk handles vulnerability remediation for indirect (...
How does Snyk fix vulnerabilities buried in transitive dependencies you never directly installed? A look at dependency graphs, upgrade paths, and pinning.