Known vulnerabilities can be introduced from direct dependencies or indirect ("deep" / "chained" / "transitive") dependencies:
- A direct dependency is a package you include in your own project. For example, package.json for a Javascript application (see supported languages).
- An indirect dependency is a package that your project does not use directly, but is used by one of your direct dependencies. So if your application uses package A, and package A uses package B, then your application indirectly depends on package B. And if package B is vulnerable, your project is vulnerable.
Snyk analyzes the full dependency tree, including all the third-party libraries used, and compares the results to Snyk’s vulnerability database.