Setting up the Security Policy

Before doing anything else with FOSSA Security, let's get you set up with a policy! Security policies are primarily used to reduce false positives and alleviate notification fatigue.

Creating a Security Policy

To create a new security policy, navigate to the "Security" tab under the "Policies" menu and click "Create Policy."


From here, you can choose to filter identified vulnerabilities by CVSS severity of score. Documentation for how CVSS severity maps to score can be found here.


Further down the page, you'll see options for CWE whitelist and blacklist rules. It's possible that your team may be very wary (or the opposite: not at all wary) of certain groups of CVEs. The whitelist and blacklist capabilities allow you to further customize your policy to take these cases into account. For example, some dependencies in your project may have known vulnerabilities associated with SQL injections, but this is a moot point if your project doesn't use a SQL database. In this particular case, you may want to add CWE-564 to the whitelist.


That's it! Once you're done with configuring the security policy, you're ready to start using the product!