Package Management

By navigating to the Packages feature at the top-level navigation a FOSSA user will have access a global package inventory across their entire organization.

Here a user can begin searching and filtering for package to manage.

Search

A user may search by package name which will populate the Packages left navigation with any detected packages.

Filters

To aide in the package management process a use can leverage our robust filtering capabilities to narrow their package search. Filters include:

Project attributes

Filter typeDescription
CLI uploadFilter to project(s) analyzed via fossa analyze from the CLI or associated Github action
ContainerFilter to project(s) analyzed via fossa container analyze from the CLI
Archive uploadFilter to project(s) analyzed via Archive Upload from one of the supported archive formats (apk, .bz2, .bzip2, .conda, .gem, .gz, .ipa, .jar, .nupkg, .rpm, .tar, .whl, .xz, .zip)
Quick ImportFilter to project(s) analyzed via Quick Import from your version control system
SBOM ImportFilter to project(s) analyzed via SBOM Import from one of the supported SBOM import formats (cycloneDX)

Visibility

Filter TypeDescription
PublicFilter to project(s) that has a publicly accessible view without authenticating & authorizing as a FOSSA user
PrivateFilter to project(s) that is not publicly accessible and requires authenticating & authorizing as a FOSSA user

Labels

Filter TypeDescription
Project LabelFilter to project(s) that use a FOSSA provided or user defined project label for additional business context. Multiple labels may be selected using OR based logic.

Example: Critical Impact OR Prod

Dependency Depth

Filter TypeDescription
DirectFilter packages that are direct dependencies.
TransitiveFilter packages that are transitive dependencies.

Blocked

Filter TypeDescription
Uses blocked package(s)Filter packages that are blocked.
No blocked package(s)Filter packages that are not blocked.

Project Name

Filter TypeDescription
Project NameFilter packages used by the selected project(s)

CVE

Filter TypeDescription
CVEFilter packages containing the selected CVE(s)

CWE

Filter TypeDescription
CWEFilter packages containing the selected CWE(s)

Severity

Filter TypeDescription
CriticalFilter Security issues that have CVSS score 9-10
HighFilter Security issues that have CVSS score 7-8.9
MediumFilter Security issues that have CVSS score 4-6.9
LowFilter Security issues that have CVSS score 0.1-3.9
UnknownFilter Security issues that do not have a CVSS score

Fix Available

Filter TypeDescription
No FixFilter Security issues that do not currently have a known safe version
Has FixFilter Security issues that have a known next safe version

Sorting Options

You can sort packages based on:

  • The package name (ascending or descending alphabetical order)
  • Usage which is the project count per semantic version (descending only)

Package Details

After selecting your desired package and version you will navigate to the Package Details screen. This screen will contain pertinent information regarding the package including:

  • Package name
  • Package version
  • Package locator (FOSSA unique identifier)
  • Package manager
  • Project count
  • License(s) detected
  • Package description
  • Homepage

In addition a user can use the Projects and Vulnerabilities tabs to further explore where a package is used in your FOSSA organization and what vulnerabilities are detected.

πŸ“˜

NOTE

Vulnerabilities are not determined by Security Policy. Meaning they will appear in package management even if they "Security Issue" is ignored or removed by security policy. These vulnerabilities will not appear in any FOSSA reporting.

Blocked Packages

As a function of FOSSA's package management feature, a user can "Block" a package enabling two key workflows:

  • Global reporting of blocked package usage across the organization
  • CI/CD failure via fossa test preventing blocked packages from entering your production environments

A user can block a package by navigating to the packages tab and searching or filter to your desired package

From there a user can either "Block All Versions" via the Block package button

Or select specific package versions to block

Finally a user will select the desired Quality policy to attach the blocked package rule to, and Block package