Snyk offers fix advice, which can include recommendations for upgrading vulnerable packages with the Fix PR feature. Fix PRs can only be created for dependencies whose versions are managed as part of the repository itself - that is, where the version is declared in the pom.xml.
If the version or dependency is declared as part of a parent, or a bom, then even though Snyk sees that it could fix the vulnerable path by changing the dependency's version, this version is managed externally and snyk cannot apply the fix. Snyk can fix it only if the version is managed from the root project or its dependency management section.
When this occurs, if you expand the issue, you will see a section labelled Unreachable Paths.
If you attempt to open a Fix PR on this issue, and all paths are unreachable, the Fix PR will fail:
If the dependency must be managed externally to your project, we recommend you ignore the issue.