Ruby and Maven improvements for SCM projects 🎉

Over the coming weeks we will be introducing a few improvements to Maven and Ruby projects imported through SCM integrations.

Ruby

Starting today, we are releasing minor improvements to Fix PRs for Ruby.

• Snyk fixes vulnerabilities by updating vulnerable gems, running bundle update to re-lock your Gemfile.lock.

• When a Ruby version is not explicitly declared in the Gemfile, Snyk now defaults to Ruby 3.3 or latest. Previously, Snyk would default to 2.7.

• Additionally, Snyk now supports Ruby versions 3.3 and 3.4.

These changes have no impact on findings, but should improve the success rate of Fix PRs.

Maven

Starting two weeks from today, we’ll start gradually rolling out improvements to dependency resolution for Maven. The roll-out is expected to last approximately 1 month.

• Snapshot artifacts, e.g. org.example:foo:1.0.0-SNAPSHOT are published to Maven with unique versioning information. Snyk was previously not correctly resolving these dependencies, impacting the accuracy of projects and related issues. This will be fixed and projects will accurately detect these dependencies.

• Logic for “provided” transitive dependencies is now correct and aligns with Snyk CLI and how Maven handles these cases.

Both of the Maven improvements have the potential to change the number of dependencies and issues detected in the project.

Please refer to our User Docs for more information on supported languages.