Issues UI - What’s New
We’ve updated our global, project, and release group Issues view to improve experience and functionality. This is the central inbox for all issues across all projects or all issues within a specific project.
From the main Issues tab, you can navigate to your Licensing and Security Issues.
IMPORTANT
Issues are no longer classified as Resolved. They are now set to Ignored as it is more apt in describing what the action actually accomplishes. Any previously Resolved issues appear as Ignored.
In this article, you learn about filtering and sorting options. As well as, bulk actions you can take to address the identified issues.
TIP
You can refer to Creating Tickets and Ignoring Issues for more information on completing bulk actions.
Regardless of the type of issue you are reviewing, all issues are automatically filtered into two tabs:
- Active
- Ignored
The Active tab lists all issues that require additional attention. The Ignored tab lists all issues that have been reviewed and set to ignore for various reasons.
Filtering Options
You now have the ability to use filters to refine your search. Refer to the table to review the list of available filters.
Licensing Filters
Security Filters
Filter Groups
Depth
| Filter Type | Description |
|---|---|
| Direct | Filter issues that are direct dependencies. |
| Transitive | Filter issues that are transitive dependencies. |
Ticket
| Filter Type | Description |
|---|---|
| Ticketed | Filter issues that already have a ticket associated. |
| Not Ticketed | Filter issues that have no associated tickets. |
Issue Type
| Filter Type | Desscription |
|---|---|
| Denied | Filter Licensing issues that are denied. |
| Flagged | Filter Licensing issues that have been flagged. |
| Unlicensed | Filter Licensing issues that have been listed as unlicensed. |
| Abandonware | Filter Supply Chain Risks that are packages that have not seen any maintainer activity (i.e. publishing) for long period of time, in the case of FOSSA we set this window to 2 years. |
| Empty Package | Filter Supply Chain Risks that are those that have no executable code. |
| Native code | Filter Supply Chain Risks that embed compiled executable files. |
| Outdated version | Filter Quality Issues that are any dependencies that are out of date according to your defined policy. |
| Denied dependency | Filter Quality Issues that are dependencies denied by your policy. |
Severity
| Filter Type | Description |
|---|---|
| Critical | Filter Security issues that have CVSS score 9-10 |
| High | Filter Security issues that have CVSS score 7-8.9 |
| Medium | Filter Security issues that have CVSS score 4-6.9 |
| Low | Filter Security issues that have CVSS score 0.1-3.9 |
| Unknown | Filter Security issues that do not have a CVSS score |
Ignored Type
Please see auto-ignored section for more details
| Filter type | Description |
|---|---|
| Manual | An issue ignored manually by the user |
| Auto-ignored | An issue ignored via "auto-ignore in all versions" |
NOTE
You can select Reset all filters to remove existing filters at any time to display all identified issues.
Sorting Options
Depending on the number of issues that are listed in your central inbox, it is helpful to sort issues based on specific criteria to support your remediation process. You can sort Issues based on:
- When the Issue was found by FOSSA (newest to oldest or oldest to newest)
- The package name (ascending or descending alphabetical order)
- The severity of the listed issue (highest to lowest or lowest to highest)
NOTE
Under the Licensing issues tab, the default sorting is set to Package name (A to Z). Under the Security issues tab, the default sorting is set to Severity (Highest to lowest).
Issue Actions
You can initiate actions by selecting the checkbox next to any issue, giving you access to the action menu.
Important
Available actions will depend on product type (licensing, security, quality), issue status (active, ignored), issue scope (global, release group, project), and action type (individual, bulk). Please see the table below for a detailed breakdown.
| Action | Description | Action type(s) | Product type(s) | Issue status | Issue scope(s) |
|---|---|---|---|---|---|
| Ignore (in current versions only) | Ignore the selected issue(s) for the current semantic version of the affected package. Doing so will ignore in only the selected, affected project(s). A new project revision containing any other semantic version of the package will generate a new active issue. | individual, bulk | licensing, security, quality | active | global, release group, project |
| Ignore (Auto-ignore in all versions) | only available for individual project issues Ignore the detected issue for all semantic versions of the affected package. Doing so will ignore in only the selected, affected project. Doing so will only apply to the selected issue type (Denied/Flagged license or a CVE) A new project revision containing any other semantic version of the package will be auto-ignored. Please see the auto-ignored section for full details. | individual | licensing, security | active | project |
| Create ticket | Create a ticket (JIRA) containing all selected issues. Please see Creating a Jira Ticket for full usage and configuration details. Doing so with a previously ticketed issue(s) selected will link to the new ticket only. | individual, bulk | licensing, security, quality | active, ignored | global, release group, project |
| Unlink ticket | Remove the association between the selected issue(s) and any linked tickets. | individual, bulk | licensing, security, quality | active, ignored | global, release group, project |
| Download CSV | Download a csv containing all selected issues scoped by issue status(active or ignored) | individual, bulk | licensing, security, quality | active, ignored | global, release group, project |
| Unignore | Change selected issue(s) status from ignored to active. Note doing so will not end any existing auto-ignore rules. Please see the auto-ignore section for more details on stopping auto-ignore rules. | individual, bulk | licensing, security, quality | ignored | global, release group, project |
Bulk Actions
You can action more than one issue at a time across all affected projects by using the select all or checking the boxes of the applicable issues in the global issues view.
IMPORTANT
This functionality replaces the Resolve in All Projects option when ignoring an issue in a particular project and the issue is found in other projects.
IMPORTANT
By selecting the bulk action checkbox, it automatically selects all the issues listed on the page. To select all the applicable issues, you must click the Select all link that displays in green.
Auto-ignore
Feature Flag
The Auto-ignore feature is currently locked behind a feature flag. Please contact your dedicated CSM or FOSSA Support to enable it.
In order to persist an ignore decision across all versions of a package, we have introduced a functionality to auto-ignore issues. Given the potential for unintended acceptance of risk by ignoring in all versions, we have introduced the following limitations:
- Individual issue only
- Project issue detail or single issue selected
- Project scope only
Auto-ignore is scoped to the combination of:
- Package
- Project
- Issue type
Applicable issue types:
- Denied license
- Flagged license
- Any CVE (security issue)
Example
Licensing Example
Our sample project P uses the following versions of package glob:
When we ignore an individual issue:
We are prompted with the option to "Auto-ignore in all versions". Based on our example, we will auto-ignore any Flagged CC-BY-SA-4.0 (Creative Commons Attribution-ShareAlike 4.0 International) license, detected in any version (7.1.4, 7.1.6, 7.2.3) of glob for only project P.
Result:
Notice we now have 0 active issues and 3 auto-ignored issues. Any future revision of Project P, containing any other version of glob, with Flagged license CC-BY-SA-4.0 will be auto-ignored.
Security issues are scoped by the ignored CVE rather than the detected license violation
TIP
We have added an
ignored typefilter to Ignored issue inboxes to quickly filter toauto-ignoredissues.
Ending Auto-ignore
To end an auto-ignore rule, we must select any individual auto-ignored issue and unignore
Caution
Doing so will change the issue status of all auto-ignored issues for the selected package and project.
Issues Page
The UI has changed when accessing the details of a specific issue. To access the issue details, click the issue title.
The Issue page lists all the information to which you are accustomed based on the Issue type. For security this includes Vulnerable Dependency, Vulnerability Details, and Affected Projects.
NOTE
You can now see other affected projects along with their statuses and associated tickets.
Updated 1 day ago