You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/scan-with-snyk/snyk-code/manage-code-vulnerabilities/README.md
+27Lines changed: 27 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -120,6 +120,33 @@ Manage Project settings as follows:
120
120
* Deactivate Project: [Temporarily disable the Project without deleting any data](../../../snyk-admin/snyk-projects/#delete-activate-or-deactivate).
121
121
* Delete the Project: [Permanently remove the Project and all associated data](../../../snyk-admin/snyk-projects/#delete-activate-or-deactivate).
122
122
123
+
## Tracking vulnerabilities across code changes
124
+
125
+
Snyk Code goes beyond simple static analysis by tracking vulnerabilities across multiple scans, even as your codebase evolves. This ensures consistent and accurate vulnerability management, regardless of code refactoring, file renaming, or positional changes.\
126
+
\
127
+
Consider a scenario where a vulnerability exists in `file1.js` on line 45. After a code refactor, the vulnerability persists but is now located in a different file and line. To effectively address such scenarios, Snyk Code employs a sophisticated issue-tracking system. To tracks vulnerabilities\
128
+
Snyk Code performs the following:
129
+
130
+
1. Fingerprint matching:
131
+
* Generates a min-hash of the code's syntax tree for each vulnerability.
132
+
* Calculates nearest neighbors from these hashes to identify similar vulnerabilities across scans.
133
+
2. File position comparison:
134
+
* Analyzes file paths and line numbers to account for code movement.
135
+
* Calculates similarity based on directory, filename, and line/column changes.
136
+
137
+
### Final confidence scoring
138
+
139
+
Snyk Code combines the results of fingerprint matching, file position comparison, and historical weighting to generate a final confidence score. This score indicates the likelihood that two vulnerabilities from different scans are the same.
140
+
141
+
For example, if a vulnerability in `utils/auth_utils.js` is moved to `utils/auth_helpers.js` and the line number changes. Snyk Code's algorithms would perform the following:
142
+
143
+
* Identify a new vulnerability in `utils/auth_helpers.js` and generate a fingerprint from its AST.
144
+
* Compare the new vulnerability's fingerprint with issues found in the previous scan.
145
+
* Identify a high fingerprint similarity despite minor AST changes.
146
+
* Recognize the high file path similarity due to the shared directory and similar file names.
147
+
* Account for the line number change while maintaining a high overall confidence score.
148
+
* Match the new vulnerability with the vulnerability with highest confidence score from the previous scan.
149
+
123
150
## What's next?
124
151
125
152
*[See the breakdown of Code analysis](breakdown-of-code-analysis.md)
0 commit comments