Issues UI - What’s New

We’ve updated our global, project, and release group Issues view to improve experience and functionality. This is the central inbox for all issues across all projects or all issues within a specific project.

From the main Issues tab, you can navigate to your Licensing and Security Issues.

❗️

IMPORTANT

Issues are no longer classified as Resolved. They are now set to Ignored as it is more apt in describing what the action actually accomplishes. Any previously Resolved issues appear as Ignored.

In this article, you learn about filtering and sorting options. As well as, bulk actions you can take to address the identified issues.

🚧

TIP

You can refer to Creating Tickets and Ignoring Issues for more information on completing bulk actions.

Regardless of the type of issue you are reviewing, all issues are automatically filtered into two tabs:

  • Active
  • Ignored
    The Active tab lists all issues that require additional attention. The Ignored tab lists all issues that have been reviewed and set to ignore for various reasons.

Filtering Options

You now have the ability to use filters to refine your search. Refer to the table to review the list of available filters.

Licensing Filters

Security Filters

Filter Groups

Depth

Filter TypeDescription
DirectFilter issues that are direct dependencies.
TransitiveFilter issues that are transitive dependencies.

Ticket

Filter TypeDescription
TicketedFilter issues that already have a ticket associated.
Not TicketedFilter issues that have no associated tickets.

Issue Type

Filter TypeDesscription
DeniedFilter Licensing issues that are denied.
FlaggedFilter Licensing issues that have been flagged.
UnlicensedFilter Licensing issues that have been listed as unlicensed.
AbandonwareFilter Supply Chain Risks that are packages that have not seen any maintainer activity (i.e. publishing) for long period of time, in the case of FOSSA we set this window to 2 years.
Empty PackageFilter Supply Chain Risks that are those that have no executable code.
Native codeFilter Supply Chain Risks that embed compiled executable files.
Outdated versionFilter Quality Issues that are any dependencies that are out of date according to your defined policy.
Denied dependencyFilter Quality Issues that are dependencies denied by your policy.

Severity

Filter TypeDescription
CriticalFilter Security issues that have CVSS score 9-10
HighFilter Security issues that have CVSS score 7-8.9
MediumFilter Security issues that have CVSS score 4-6.9
LowFilter Security issues that have CVSS score 0.1-3.9
UnknownFilter Security issues that do not have a CVSS score

Ignored Type

Please see auto-ignored section for more details

Filter typeDescription
ManualAn issue ignored manually by the user
Auto-ignoredAn issue ignored via "auto-ignore in all versions"

📘

NOTE

You can select Reset all filters to remove existing filters at any time to display all identified issues.

Sorting Options

Depending on the number of issues that are listed in your central inbox, it is helpful to sort issues based on specific criteria to support your remediation process. You can sort Issues based on:

  • When the Issue was found by FOSSA (newest to oldest or oldest to newest)
  • The package name (ascending or descending alphabetical order)
  • The severity of the listed issue (highest to lowest or lowest to highest)

📘

NOTE

Under the Licensing issues tab, the default sorting is set to Package name (A to Z). Under the Security issues tab, the default sorting is set to Severity (Highest to lowest).

Issue Actions

You can initiate actions by selecting the checkbox next to any issue, giving you access to the action menu.

❗️

Important

Available actions will depend on product type (licensing, security, quality), issue status (active, ignored), issue scope (global, release group, project), and action type (individual, bulk). Please see the table below for a detailed breakdown.

ActionDescriptionAction type(s)Product type(s)Issue statusIssue scope(s)
Ignore (in current versions only)Ignore the selected issue(s) for the current semantic version of the affected package. Doing so will ignore in only the selected, affected project(s).

A new project revision containing any other semantic version of the package will generate a new active issue.
individual, bulklicensing, security, qualityactiveglobal, release group, project
Ignore (Auto-ignore in all versions)only available for individual project issues

Ignore the detected issue for all semantic versions of the affected package. Doing so will ignore in only the selected, affected project.

Doing so will only apply to the selected issue type (Denied/Flagged license or a CVE)

A new project revision containing any other semantic version of the package will be auto-ignored. Please see the auto-ignored section for full details.
individuallicensing, securityactiveproject
Create ticketCreate a ticket (JIRA) containing all selected issues. Please see Creating a Jira Ticket for full usage and configuration details.

Doing so with a previously ticketed issue(s) selected will link to the new ticket only.
individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
Unlink ticketRemove the association between the selected issue(s) and any linked tickets.individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
Download CSVDownload a csv containing all selected issues scoped by issue status(active or ignored)individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
UnignoreChange selected issue(s) status from ignored to active.

Note doing so will not end any existing auto-ignore rules. Please see the auto-ignore section for more details on stopping auto-ignore rules.
individual, bulklicensing, security, qualityignoredglobal, release group, project

Bulk Actions

You can action more than one issue at a time across all affected projects by using the select all or checking the boxes of the applicable issues in the global issues view.

❗️

IMPORTANT

This functionality replaces the Resolve in All Projects option when ignoring an issue in a particular project and the issue is found in other projects.

❗️

IMPORTANT

By selecting the bulk action checkbox, it automatically selects all the issues listed on the page. To select all the applicable issues, you must click the Select all link that displays in green.

Auto-ignore

📘

Feature Flag

The Auto-ignore feature is currently locked behind a feature flag. Please contact your dedicated CSM or FOSSA Support to enable it.

In order to persist an ignore decision across all versions of a package, we have introduced a functionality to auto-ignore issues. Given the potential for unintended acceptance of risk by ignoring in all versions, we have introduced the following limitations:

  • Individual issue only
  • Project issue detail or single issue selected
  • Project scope only

Auto-ignore is scoped to the combination of:

  • Package
  • Project
  • Issue type

Applicable issue types:

  • Denied license
  • Flagged license
  • Any CVE (security issue)

Example

Licensing Example
Our sample project P uses the following versions of package glob:

When we ignore an individual issue:

We are prompted with the option to "Auto-ignore in all versions". Based on our example, we will auto-ignore any Flagged CC-BY-SA-4.0 (Creative Commons Attribution-ShareAlike 4.0 International) license, detected in any version (7.1.4, 7.1.6, 7.2.3) of glob for only project P.

Result:

Notice we now have 0 active issues and 3 auto-ignored issues. Any future revision of Project P, containing any other version of glob, with Flagged license CC-BY-SA-4.0 will be auto-ignored.

Security issues are scoped by the ignored CVE rather than the detected license violation

📘

TIP

We have added an ignored type filter to Ignored issue inboxes to quickly filter to auto-ignored issues.

Ending Auto-ignore

To end an auto-ignore rule, we must select any individual auto-ignored issue and unignore

🚧

Caution

Doing so will change the issue status of all auto-ignored issues for the selected package and project.

Issues Page

The UI has changed when accessing the details of a specific issue. To access the issue details, click the issue title.

The Issue page lists all the information to which you are accustomed based on the Issue type. For security this includes Vulnerable Dependency, Vulnerability Details, and Affected Projects.

📘

NOTE

You can now see other affected projects along with their statuses and associated tickets.