Triaging Issues

The Issues page (found within a report or globally) provides a feed of alerts generated against the dependencies of projects you've added to FOSSA.

FOSSA can scan for a variety of issues depending on what features you've enabled:

Issue TypeDescriptionProduct Suite
Unlicensed DependencyFlagged against unlicensed code, which by default is copyrighted to the original author.Compliance
Policy FlagFlagged against licenses that require review.Compliance
Policy ConflictFlagged against licenses violating use case (policy deny).Compliance
Missing AttributionFlagged if your codebase is missing compliance documentation.Compliance
VulnerabilitiesFlagged against vulnerable dependencies (CVE or Custom)Security
Minor Outdated DependencyFlagged if components are outside a specified version window.Quality
Major Outdated DependencyFlagged if components are outside a specified version window.Quality

👍

To enable a missing Product Suite, contact [email protected]

Using the Dashboard

1215

Issue Dashboard Preview

On the left-hand side of the Issue Dashboard, FOSSA provides an inbox of Issue Threads, which are groups of similar issues that can be triaged and resolved together. These threads will automatically be organized and prioritized by type and severity.

📘

For easy browsing, you can use the up/down keys on your keyboard to quickly navigate across issue threads.

Understanding Issue Reports

Once you've selected an issue thread, FOSSA will display a report on the right hand side detailing information and action about the issues:

1516

The report displays the following sections (in order)

1. Issue Summary
A description about the issue and why it was flagged.

2. Status Notes (optional)
Notes listed from an issue triage action, only displayed if the issue was previously resolved.

3. Component / Issue Details
A rich UI that displays details about the component and relevant data inside of it related to the issue. For many types of issues, there will be tools to "make corrections" to data or edit settings before ignoring the issue.

4. Affected Applications
A list of applications ("Projects") in your organization that are currently affected by these issues in the latest release.

5. General Notes
Comments from other team members about this component.

Understanding Issue Confirmation Levels

Under Affected Applications, FOSSA provides Issue Confirmation Levels to help your team easily confirm and prioritize issues during triage:

1582

This section gives you a sense of which issues are the most likely to affect your team and need attention based off the following levels:

Confirmation Level
UnconfirmedThis issue exists in your ecosystem, but we have found no specific evidence it is referenced to in your application.
ReferencedThis issue deals with a component that is statically referenced by a package manifest (top level, or from traversing deep dependencies) within your affect application. A production build may or may not exclude this component (i.e. a test or mediated dependency).
IncludedThis issue deals with a component that we've confirmed is included in a production build by dynamically observing the build process.
AccessibleThis issue is confirmed to be accessible to users in distributed applications or build artifacts.
ConfirmedThis issue has been manually confirmed.

FOSSA determines these levels by reflecting on how it discovered your dependency. If a dependency was reported using one method of code analysis over another, FOSSA can infer how "material" the issue alert is based off the technical implementations of those strategies.

Users can always manually "override" an automatically suggested confirmation level on a per-issue basis. Contact [email protected] if you have more in-depth questions about confirmation.

🚧

Too Many Issues

FOSSA was built to produce very few false positives so that you can continually run scans throughout your development process.

If you notice that you have a significant amount of false positives, that's a good sign that you may have not integrated FOSSA properly. Contact support for help.

Remediating Issues

Once you've identified an issue thread you want to fix, you have a few options to resolve them. Note, the options below will apply globally across all issues (and affected projects) referenced in a given thread. If you'd like to handle issues on a per-project basis, use the views provided in the Projects dashboard.

Ignoring Issues / Correcting Data

If you've identified a false positive, you can "ignore" an issue thread and provide notes:

1292

Once ignored, the issue will move to the "Resolved" category and your notes will be present alongside an "undo" button:

1524

If you noticed the issue was raised due to an inconsistency around component data you can use the tools available in the Component / Issue Details panel to make corrections before you ignore to ensure clean reports:

664 1590

Suggested Remediations / Patches

For some kinds of issues, FOSSA can also provide remediation suggestions or automated patches related to your build:

1532

There are 4 kinds of remediations available:

TypeDescription
Update Component (Safe)This remediation suggests a safe version update to a component that fixes an issue. It will ask you to run a command or update build configuration files / manifests in order to change build behavior to update a direct / deep dependency.
Remove Component (Unsafe)This remediation suggests a removal of a component in order to fix an issue. It will ask you to run a command or update build configuration files / manifests in order to remove a component from your build. FOSSA will provide path data so you can validate if / how the dependency is being used.
Auto-Fix (Safe)If an issue can automatically be fixed, FOSSA will provide an "auto-fix" button that will generate a patch that you can submit to your VCS.
Manual RemediationFOSSA will suggest a human action to fix an issue (i.e. contacting the component author or manually investigating your build).

These remediation suggestions will also be available inline when exporting issues into tickets or work items.

Exporting Issues to a Ticket

You can also export a group of issues into a single ticket using the "Create Ticket" button:

1252

This will create a ticket inside of your issue tracker (i.e. JIRA) and sync the status of all issues in FOSSA to it. This means that your issues are assigned to the "Triaged" category where FOSSA will wait until the ticket is resolved in your tracker before automatically resolving the issue in FOSSA.

🚧

Issue Tracker Configuration

Make sure an issue tracker is configured under your Account Settings in order to export issues using this method.

Auto-Fixing

Some issues can be automatically fixed by known patches, upgrades or workarounds. Contact [email protected] if you're interested in this feature.

👍

Premium Feature - Global Issue Dashboard

In a large-scale team, thousands of new 3rd-party components can be included or removed on a daily basis by developers, CI builds and more.

To help you manage this scale, FOSSA has a global Issue Dashboard that provides a centralized, aggregated feed of all components that are currently flagged across your organization. This view will intelligently group and prioritize issue alerts into logical "threads" to be resolved, exported or triaged together.

This feature is available in any upgraded subscription of FOSSA. Contact [email protected] for more details.


What’s Next

Once you've resolved issues in your project, it's time to generate a Release Report: