Snyk Code - Early May 2026 Update

Starting May 5, 2026, we're updating Snyk Code to improve scanning precision and reduce noise across all supported languages.

Improvements to scanning precision

All languages — Path Traversal severity tuning (CWE-22)
Path Traversal findings are now tiered by source risk. Findings from lower-risk sources are automatically reclassified from High/Medium to Low severity, reducing noise while keeping high-risk vectors prominent.

Java, Kotlin, Groovy — Apache Camel framework coverage (CWE-89 / CWE-22 / CWE-611)
Apache Camel Exchange HTTP sources are now tracked as taint origins. Applications using Apache Camel will see new findings where HTTP body and header values flow into SQL injection, path traversal, or XXE sinks. Customers using Apache Camel may see an increase in findings.

All languages — Improved .snyk exclude precision
.snyk exclude patterns now use full .gitignore-style glob semantics for more expressive and consistent scan scope control. Customers relying on .snyk exclude rules may see changes in scan scope.

Python — Reduced false positives on archive extraction (CWE-22 / CWE-73)
Python TarSlip detection is now scoped to genuine archive operations. Previously, any .extract() method call was flagged regardless of context - causing false positives in document parsers, ML pipelines, and custom extraction classes.
Findings now only fire when the receiver is a tarfile.open() or zipfile.ZipFile() object. ZipSlip detection via zipfile.ZipFile is also improved. Customers may see a reduction in Python TarSlip findings and new ZipSlip findings where archive contents are extracted without path sanitisation.

Important details to note

All percentage improvements are based on Snyk's curated open-source data set. As part of these updates, you may see a decrease in High and Medium severity counts for Path Traversal as findings move to Low based on source risk tier. Total finding counts remain stable. Customers using Apache Camel may see an increase in findings as new data flows are detected. These changes apply specifically to the languages and CWEs listed above, while other scan areas remain unchanged.