Package Management
By navigating to the Packages feature at the top-level navigation a FOSSA user will have access a global package inventory across their entire organization.
Here a user can begin searching and filtering for package to manage.
Search
A user may search by package name which will populate the Packages left navigation with any detected packages.
Filters
To aide in the package management process a use can leverage our robust filtering capabilities to narrow their package search. Filters include:
Project attributes
| Filter type | Description |
|---|---|
| CLI upload | Filter to project(s) analyzed via fossa analyze from the CLI or associated Github action |
| Container | Filter to project(s) analyzed via fossa container analyze from the CLI |
| Archive upload | Filter to project(s) analyzed via Archive Upload from one of the supported archive formats (apk, .bz2, .bzip2, .conda, .gem, .gz, .ipa, .jar, .nupkg, .rpm, .tar, .whl, .xz, .zip) |
| Quick Import | Filter to project(s) analyzed via Quick Import from your version control system |
| SBOM Import | Filter to project(s) analyzed via SBOM Import from one of the supported SBOM import formats (cycloneDX) |
Visibility
| Filter Type | Description |
|---|---|
| Public | Filter to project(s) that has a publicly accessible view without authenticating & authorizing as a FOSSA user |
| Private | Filter to project(s) that is not publicly accessible and requires authenticating & authorizing as a FOSSA user |
Labels
| Filter Type | Description |
|---|---|
| Project Label | Filter to project(s) that use a FOSSA provided or user defined project label for additional business context. Multiple labels may be selected using OR based logic.Example: Critical Impact OR Prod |
Dependency Depth
| Filter Type | Description |
|---|---|
| Direct | Filter packages that are direct dependencies. |
| Transitive | Filter packages that are transitive dependencies. |
Blocked
| Filter Type | Description |
|---|---|
| Uses blocked package(s) | Filter packages that are blocked. |
| No blocked package(s) | Filter packages that are not blocked. |
Project Name
| Filter Type | Description |
|---|---|
| Project Name | Filter packages used by the selected project(s) |
CVE
| Filter Type | Description |
|---|---|
| CVE | Filter packages containing the selected CVE(s) |
CWE
| Filter Type | Description |
|---|---|
| CWE | Filter packages containing the selected CWE(s) |
Severity
| Filter Type | Description |
|---|---|
| Critical | Filter Security issues that have CVSS score 9-10 |
| High | Filter Security issues that have CVSS score 7-8.9 |
| Medium | Filter Security issues that have CVSS score 4-6.9 |
| Low | Filter Security issues that have CVSS score 0.1-3.9 |
| Unknown | Filter Security issues that do not have a CVSS score |
Fix Available
| Filter Type | Description |
|---|---|
| No Fix | Filter Security issues that do not currently have a known safe version |
| Has Fix | Filter Security issues that have a known next safe version |
Sorting Options
You can sort packages based on:
- The package name (ascending or descending alphabetical order)
- Usage which is the project count per semantic version (descending only)
Package Details
After selecting your desired package and version you will navigate to the Package Details screen. This screen will contain pertinent information regarding the package including:
- Package name
- Package version
- Package locator (FOSSA unique identifier)
- Package manager
- Project count
- License(s) detected
- Package description
- Homepage
In addition a user can use the Projects and Vulnerabilities tabs to further explore where a package is used in your FOSSA organization and what vulnerabilities are detected.
NOTE
Vulnerabilities are not determined by Security Policy. Meaning they will appear in package management even if they "Security Issue" is ignored or removed by security policy. These vulnerabilities will not appear in any FOSSA reporting.
Blocked Packages
As a function of FOSSA's package management feature, a user can "Block" a package enabling two key workflows:
- Global reporting of blocked package usage across the organization
- CI/CD failure via
fossa testpreventing blocked packages from entering your production environments
A user can block a package by navigating to the packages tab and searching or filter to your desired package
From there a user can either "Block All Versions" via the Block package button
Or select specific package versions to block
Finally a user will select the desired Quality policy to attach the blocked package rule to, and Block package
Updated 2 months ago