When importing a Maven based project through a source control manager integration there are occasionally instances where a package will be suffixed with a version of @unknown. The reference of @unknown means that Snyk is unable to access or verify the versioning of a particular package. Here are the reasons as to why Snyk may not be able to fetch the versioning:
- Version of dependency present in the parent pom.xml or BOM which is unavailable because, e.g.
- The pom is in a repository external to the monitored repository and we don't have access to it
- It's in a public repository we block (http being used instead of https)
- A repository that is unresponsive
- The version might not actually be present
- If the project uses pom.xml files published to a private registry such as Artifactory or Nexus, these cannot be accessed unless the corresponding integration is configured
The recommendation from the Snyk team in the event that this is the case, is through the usage of a private registry integration to provide Snyk access to files outside of the repository.