The Issues page (found within a report or globally) provides a feed of alerts generated against the dependencies of projects you've added to FOSSA.
FOSSA can scan for a variety of issues depending on what features you've enabled:
|Issue Type||Description||Product Suite|
|Unlicensed Dependency||Flagged against unlicensed code, which by default is copyrighted to the original author.||Compliance|
|Policy Flag||Flagged against licenses that require review.||Compliance|
|Policy Conflict||Flagged against licenses violating use case (policy deny).||Compliance|
|Missing Attribution||Flagged if your codebase is missing compliance documentation.||Compliance|
|Vulnerabilities||Flagged against vulnerable dependencies (CVE or Custom)||Security|
|Minor Outdated Dependency||Flagged if components are outside a specified version window.||Quality|
|Major Outdated Dependency||Flagged if components are outside a specified version window.||Quality|
To enable a missing Product Suite, contact [email protected]
On the left-hand side of the Issue Dashboard, FOSSA provides an inbox of Issue Threads, which are groups of similar issues that can be triaged and resolved together. These threads will automatically be organized and prioritized by type and severity.
For easy browsing, you can use the up/down keys on your keyboard to quickly navigate across issue threads.
Once you've selected an issue thread, FOSSA will display a report on the right hand side detailing information and action about the issues:
The report displays the following sections (in order)
1. Issue Summary
A description about the issue and why it was flagged.
2. Status Notes (optional)
Notes listed from an issue triage action, only displayed if the issue was previously resolved.
3. Component / Issue Details
A rich UI that displays details about the component and relevant data inside of it related to the issue. For many types of issues, there will be tools to "make corrections" to data or edit settings before ignoring the issue.
4. Affected Applications
A list of applications ("Projects") in your organization that are currently affected by these issues in the latest release.
5. General Notes
Comments from other team members about this component.
Under Affected Applications, FOSSA provides Issue Confirmation Levels to help your team easily confirm and prioritize issues during triage:
This section gives you a sense of which issues are the most likely to affect your team and need attention based off the following levels:
|Unconfirmed||This issue exists in your ecosystem, but we have found no specific evidence it is referenced to in your application.|
|Referenced||This issue deals with a component that is statically referenced by a package manifest (top level, or from traversing deep dependencies) within your affect application. A production build may or may not exclude this component (i.e. a test or mediated dependency).|
|Included||This issue deals with a component that we've confirmed is included in a production build by dynamically observing the build process.|
|Accessible||This issue is confirmed to be accessible to users in distributed applications or build artifacts.|
|Confirmed||This issue has been manually confirmed.|
FOSSA determines these levels by reflecting on how it discovered your dependency. If a dependency was reported using one method of code analysis over another, FOSSA can infer how "material" the issue alert is based off the technical implementations of those strategies.
Users can always manually "override" an automatically suggested confirmation level on a per-issue basis. Contact [email protected] if you have more in-depth questions about confirmation.
Too Many Issues
FOSSA was built to produce very few false positives so that you can continually run scans throughout your development process.
If you notice that you have a significant amount of false positives, that's a good sign that you may have not integrated FOSSA properly. Contact support for help.
Once you've identified an issue thread you want to fix, you have a few options to resolve them. Note, the options below will apply globally across all issues (and affected projects) referenced in a given thread. If you'd like to handle issues on a per-project basis, use the views provided in the Projects dashboard.
If you've identified a false positive, you can "ignore" an issue thread and provide notes:
Once ignored, the issue will move to the "Resolved" category and your notes will be present alongside an "undo" button:
If you noticed the issue was raised due to an inconsistency around component data you can use the tools available in the Component / Issue Details panel to make corrections before you ignore to ensure clean reports:
For some kinds of issues, FOSSA can also provide remediation suggestions or automated patches related to your build:
There are 4 kinds of remediations available:
|Update Component (Safe)||This remediation suggests a safe version update to a component that fixes an issue. It will ask you to run a command or update build configuration files / manifests in order to change build behavior to update a direct / deep dependency.|
|Remove Component (Unsafe)||This remediation suggests a removal of a component in order to fix an issue. It will ask you to run a command or update build configuration files / manifests in order to remove a component from your build. FOSSA will provide path data so you can validate if / how the dependency is being used.|
|Auto-Fix (Safe)||If an issue can automatically be fixed, FOSSA will provide an "auto-fix" button that will generate a patch that you can submit to your VCS.|
|Manual Remediation||FOSSA will suggest a human action to fix an issue (i.e. contacting the component author or manually investigating your build).|
These remediation suggestions will also be available inline when exporting issues into tickets or work items.
You can also export a group of issues into a single ticket using the "Create Ticket" button:
This will create a ticket inside of your issue tracker (i.e. JIRA) and sync the status of all issues in FOSSA to it. This means that your issues are assigned to the "Triaged" category where FOSSA will wait until the ticket is resolved in your tracker before automatically resolving the issue in FOSSA.
Issue Tracker Configuration
Make sure an issue tracker is configured under your Account Settings in order to export issues using this method.
Some issues can be automatically fixed by known patches, upgrades or workarounds. Contact [email protected] if you're interested in this feature.
Premium Feature - Global Issue Dashboard
In a large-scale team, thousands of new 3rd-party components can be included or removed on a daily basis by developers, CI builds and more.
To help you manage this scale, FOSSA has a global Issue Dashboard that provides a centralized, aggregated feed of all components that are currently flagged across your organization. This view will intelligently group and prioritize issue alerts into logical "threads" to be resolved, exported or triaged together.
This feature is available in any upgraded subscription of FOSSA. Contact [email protected] for more details.
Updated about 1 month ago
Once you've resolved issues in your project, it's time to generate a Release Report: