Reviewing Licensing Issues

In this article, you learn about filtering and sorting options. As well as, bulk actions you can take to address the identified issues.

🚧

TIP

You can refer to Creating Tickets and Ignoring Issues for more information on completing bulk actions.

Regardless of the type of issue you are reviewing, all issues are automatically filtered into two tabs:

  • Active - All issues that require additional attention
  • Ignored - Issues that have been reviewed and ignored

Filtering Options

You have multiple filters to refine your search.

Filter Groups

Depth

Filter TypeDescription
DirectFilter issues that are direct dependencies.
TransitiveFilter issues that are transitive dependencies.

Ticket

Filter TypeDescription
TicketedFilter issues that already have a ticket associated.
Not TicketedFilter issues that have no associated tickets.
JIRA integratedFilter issues that have a native JIRA integration
URL LinkFilter issues that have a manual URL associated

Issue Type

Filter TypeDescription
DeniedFilter Licensing issues that are denied.
FlaggedFilter Licensing issues that have been flagged.
UnlicensedFilter Licensing issues that have been listed as unlicensed.

📘

NOTE

You can select Reset all filters to remove existing filters at any time to display all identified issues.

License Identification

Filter TypeDescription
DeclaredFilter Licensing issues that are found in Declared licenses only
DiscoveredFilter Licensing issues that are found in Discovered licenses only

📘

NOTE

  • Declared licenses are licenses that the software author has chosen and specified for their work.
    • Often detected in the manifest files (pom.xml, package.json, etc.) or source/package repositories
  • Discovered licenses are all other licenses that FOSSA detects during component analysis that the software author may or may not be aware are included in their work.

First Found

Filter typeDescription
AnytimeFilter Licensing issues that have been detected during any time frame.
Last 7 daysFilter Licensing issues that have been detected within the last 7 days
Last 14 daysFilter Licensing issues that that have been detected within the last 14 days
Last 30 DaysFilter Licensing issues that have been detected within the last 30 days

Package manager

The package manager filter enables a user to filter issues to only issues created by a particular ecosystem or package manager.

📘

NOTE

The package manager filter will only display options from available ecosystems in the given issue scope (Global, project, release group)

Project Label

Filter typeDescription
Project LabelFilter to licensing issues detected in project(s) that use a FOSSA provided or user defined project label for additional business context. Multiple labels may be selected using OR based logic.

Team

The top-level team filters enables a user to filter to only issues detected by projects within the selected team(s). This filter displays issues for all teams by default

Filter typeDescription
Team(s)Filter to licensing issues detected in project(s) within a specific team. Multiple team(s) may be selected using OR based logic.

Sorting Options

Depending on the number of issues that are listed in your central inbox, it is helpful to sort issues based on specific criteria to support your remediation process. You can sort Issues based on:

  • When the Issue was found by FOSSA (newest to oldest or oldest to newest)
  • The package name (ascending or descending alphabetical order)
  • Issue count per semantic version (Most issues or least issues)

📘

NOTE

The default sorting is set to Issue count when grouped by version and Package name (A to Z) when ungrouped.

Issue Actions

You can initiate actions by selecting the checkbox next to any issue, giving you access to the action menu.

❗️

Important

Available actions will depend on product type (licensing, security, quality), issue status (active, ignored), issue scope (global, release group, project), and action type (individual, bulk). Please see the table below for a detailed breakdown.

ActionDescriptionAction type(s)Product type(s)Issue statusIssue scope(s)
Ignore (in current versions only)Ignore the selected issue(s) for the current semantic version of the affected package. Doing so will ignore in only the selected, affected project(s).

A new project revision containing any other semantic version of the package will generate a new active issue.
individual, bulklicensing, security, qualityactiveglobal, release group, project
Ignore (Auto-ignore in all versions)only available for individual project issues

Ignore the detected issue for all semantic versions of the affected package. Doing so will ignore in only the selected, affected project.

Doing so will only apply to the selected issue type (Denied/Flagged license or a CVE)

A new project revision containing any other semantic version of the package will be auto-ignored. Please see the auto-ignore section for full details.
individuallicensing, securityactiveproject
Create ticketCreate a ticket (JIRA) containing all selected issues. Please see Creating a Jira Ticket for full usage and configuration details.

Doing so with a previously ticketed issue(s) selected will link to the new ticket only.
individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
Unlink ticketRemove the association between the selected issue(s) and any linked tickets.individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
Download CSVDownload a csv containing all selected issues scoped by issue status(active or ignored)individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
UnignoreChange selected issue(s) status from ignored to active.

Note doing so will not end any existing auto-ignore rules. Please see the auto-ignore section for more details on stopping auto-ignore rules.
individual, bulklicensing, security, qualityignoredglobal, release group, project

Bulk Actions

You can action more than one issue at a time across all affected projects by using the select all or checking the boxes of the applicable issues in the global issues view.

Issue Grouping

By default FOSSA issues will be grouped by semantic version. A user may change to the ungrouped view by selecting Version in the issue inbox header and changing to Ungrouped

Auto-ignore Rules

In order to persist an ignore decision across all versions of a package or across all projects, you can create an auto-ignore rule.

Given the potential for unintended acceptance of risk by ignoring in all versions, we highly recommend extreme diligence when applying these options.

Auto-ignore is scoped to the combination of:

  • Package(s)
  • Project(s)
  • Issue type

Applicable issue types:

  • Denied license
  • Flagged license
  • Any CVE (security issue)

Ignore Modal

Given a user has the necessary permissions, Auto-ignore permissions, when a user ignores they will see options for Where should it be ignored? & Which versions?

Where should it be ignored

The following options provide the user an ability to persist ignore decisions beyond the scope of selected project or global issue

Project ScopeDescription
In this projectCreates an auto-ignore rule scoped to only the selected project
Include release groupsCreates an auto-ignore rule scoped to the selected project & any release group containing the selected project. Including future release groups
In this release groupCreates an auto-ignore rule scope to only the selected release group (Release group issue inbox only)
In the licensing policyCreates an auto-ignore rule scoped to the policy used by the selected project. Any other project or release group using this same policy will receive the auto-ignore rule
GloballyCreates an auto-ignore rule scoped to all projects & release groups regardless of policy

🚧

CAUTION

By design, auto-ignore rules persist to their selected scope for current and future projects. Please see "Managing Auto-ignore rules" for details on terminating rules.

Which versions

The following options provide the user an ability to persist ignore decisions beyond the scope of the selected package version

Package ScopeDescription
Selected VersionCreates an auto-ignore rule scoped to the current package version only
All versionsCreates an auto-ignore rule scope to all versions of the package, current and future.

📘

NOTE

If a user selects scopes ofin this project and selected version no auto-ignore rule is created. Doing so will ignore the issue in all revisions( build analysis) submitted to this project where the selected version of the package is used. The issue will return as active whenever a new package version is submitted or a net new project is analyzed.

Managing Auto-ignore rules

Within any issue inbox (Global, Project, Release group) a user may select View Ignore Rules to navigate to all applicable rules

📘

NOTE

The Global issue inbox will contain all auto-ignore rules across every scope (Global, Policy, Release group, Project)

The Project/Release group issue inbox will contain only applicable Project/Release group auto-ignore rules and all global auto-ignore rules

Ignore rules contain the following metadata:

MetadataDescription
Issue IgnoredA combination of the license issue type (Denied, Flagged, Unlicensed) and the specific license ignored
PackageThe name of the package
VersionEither a specific package version or All
ScopeGlobal Policy Project or Project + Release Group
ByUser who created the auto-ignore rule
NoteIgnore reason provided when creating the auto-ignore rule. Please note these will also appear on issue details when applicable

A user may use the action icon to the far right to remove any auto-ignore rule.

Auto-ignore Permissions

See the table below for a detailed breakdown of permission required to create auto-ignore rules

ScopeRequired permissions
ProjectRequires Resolve Licensing issues of projects permissions for the selected project or for all projects.
Release groupRequires Resolve Licensing issues of release group permissions and access to the selected release group or all projects/release groups.
Project + release groupRequires Resolve Licensing issues of project and Resolve Licensing issues of release group permissions. Also requires access to the selected project and access to all release groups
PolicyRequires Create Licensing policy permission
GlobalRequires Requires Resolve Licensing issues of project and Resolve Licensing issues of release group permissions. Also requires access to all projects and release groups

Issue Drawer

The FOSSA issue detail UI has been updated with an easy to use issue drawer to quickly review and triage issues. A user can open the issue drawer by selecting anywhere within the desired issue's row.

Issue Drawer Controls

At the top right corner of an issue drawer a user can Expand , Share , or Close the issue drawer.

Issue Drawer ControlDescription
ExpandOpens a full screen view of the selected issues in a separate tab
ShareAllows a user to copy a link to the expanded view of the selected issue
CloseCloses the selected issue drawer

Issue Drawer Issue Sub Navigation

The issue sub nav for a licensing issue is composed of the following sections:

SectionDescription
Issue DetailsDescribes the type of issue (Flagged, Denied, Unlicensed) , the package depth per project, and any additional notes included for the license by your selected policy
File MatchesDescribes where we found the detected license (Declared or Discovered), which specific file, and which lines of code we detected evidence of the selected license.
DependencyRelevant information regarding the package itself, such as name, version, depth, and package manager/ecosystem
All LicensesA breakdown of every license detected on the package and whether that is a Declared or Discovered identification

📘

NOTE

A user may use the dropdown within the file matches section to explore additional file paths

Issue Drawer Projects Sub Navigation

The project sub nav for a security issue contains the following metadata:

MetadataDescription
Project NameTitle of the project in FOSSA
Issue StatusWhether the issue is active or ignored in that project
View PathThe origin and dependency path to determine where the package was detected within the project

Comments

Time and user stamped comments to track issue triage conversations.

📘

NOTE

You can now see other affected projects along with their statuses and associated tickets.