Reviewing Licensing Issues

Issues provides the central inbox for both global issues across all projects or all issues within a specific project.

From the main Issues tab, you can navigate to your Licensing Issues.

❗️

IMPORTANT

Issues are no longer classified as Resolved. They are now set to Ignored as it is more apt in describing what the action actually accomplishes. Any previously Resolved issues appear as Ignored.

In this article, you learn about filtering and sorting options. As well as, bulk actions you can take to address the identified issues.

🚧

TIP

You can refer to Creating Tickets and Ignoring Issues for more information on completing bulk actions.

Regardless of the type of issue you are reviewing, all issues are automatically filtered into two tabs:

  • Active - All issues that require additional attention
  • Ignored - Issues that have been reviewed and ignored

Filtering Options

You have multiple filters to refine your search.

Filter Groups

Depth

Filter TypeDescription
DirectFilter issues that are direct dependencies.
TransitiveFilter issues that are transitive dependencies.

Ticket

Filter TypeDescription
TicketedFilter issues that already have a ticket associated.
Not TicketedFilter issues that have no associated tickets.

Issue Type

Filter TypeDescription
DeniedFilter Licensing issues that are denied.
FlaggedFilter Licensing issues that have been flagged.
UnlicensedFilter Licensing issues that have been listed as unlicensed.

License Identification

Filter TypeDescription
DeclaredFilter Licensing issues that are found in Declared licenses only
DiscoveredFilter Licensing issues that are found in Discovered licenses only

Ignored Type

Please see auto-ignored section for more details

Filter typeDescription
ManualAn issue ignored manually by the user
Auto-ignoredAn issue ignored via "auto-ignore in all versions"

📘

NOTE

You can select Reset all filters to remove existing filters at any time to display all identified issues.

Sorting Options

Depending on the number of issues that are listed in your central inbox, it is helpful to sort issues based on specific criteria to support your remediation process. You can sort Issues based on:

  • When the Issue was found by FOSSA (newest to oldest or oldest to newest)
  • The package name (ascending or descending alphabetical order)

📘

NOTE

Under the Licensing issues tab, the default sorting is set to Package name (A to Z). Under the Security issues tab, the default sorting is set to Severity (Highest to lowest).

Issue Actions

You can initiate actions by selecting the checkbox next to any issue, giving you access to the action menu.

❗️

Important

Available actions will depend on product type (licensing, security, quality), issue status (active, ignored), issue scope (global, release group, project), and action type (individual, bulk). Please see the table below for a detailed breakdown.

ActionDescriptionAction type(s)Product type(s)Issue statusIssue scope(s)
Ignore (in current versions only)Ignore the selected issue(s) for the current semantic version of the affected package. Doing so will ignore in only the selected, affected project(s).

A new project revision containing any other semantic version of the package will generate a new active issue.
individual, bulklicensing, security, qualityactiveglobal, release group, project
Ignore (Auto-ignore in all versions)only available for individual project issues

Ignore the detected issue for all semantic versions of the affected package. Doing so will ignore in only the selected, affected project.

Doing so will only apply to the selected issue type (Denied/Flagged license or a CVE)

A new project revision containing any other semantic version of the package will be auto-ignored. Please see the auto-ignored section for full details.
individuallicensing, securityactiveproject
Create ticketCreate a ticket (JIRA) containing all selected issues. Please see Creating a Jira Ticket for full usage and configuration details.

Doing so with a previously ticketed issue(s) selected will link to the new ticket only.
individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
Unlink ticketRemove the association between the selected issue(s) and any linked tickets.individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
Download CSVDownload a csv containing all selected issues scoped by issue status(active or ignored)individual, bulklicensing, security, qualityactive, ignoredglobal, release group, project
UnignoreChange selected issue(s) status from ignored to active.

Note doing so will not end any existing auto-ignore rules. Please see the auto-ignore section for more details on stopping auto-ignore rules.
individual, bulklicensing, security, qualityignoredglobal, release group, project

Bulk Actions

You can action more than one issue at a time across all affected projects by using the select all or checking the boxes of the applicable issues in the global issues view.

❗️

IMPORTANT

This functionality replaces the Resolve in All Projects option when ignoring an issue in a particular project and the issue is found in other projects.

Auto-ignore

📘

Private Beta

The Auto-ignore feature is currently private beta. Please contact your dedicated CSM or FOSSA Support to enable it.

In order to persist an ignore decision across all versions of a package, we have introduced a functionality to auto-ignore issues. Given the potential for unintended acceptance of risk by ignoring in all versions, we have introduced the following limitations:

  • Individual issue only
  • Project issue detail or single issue selected
  • Project scope only

Auto-ignore is scoped to the combination of:

  • Package
  • Project
  • Issue type

Applicable issue types:

  • Denied license
  • Flagged license
  • Any CVE (security issue)

Example

Licensing Example
Our sample project P uses the following versions of package glob:

When we ignore an individual issue:

We are prompted with the option to "Auto-ignore in all versions". Based on our example, we will auto-ignore any Flagged CC-BY-SA-4.0 (Creative Commons Attribution-ShareAlike 4.0 International) license, detected in any version (7.1.4, 7.1.6, 7.2.3) of glob for only project P.

Result:

Notice we now have 0 active issues and 3 auto-ignored issues. Any future revision of Project P, containing any other version of glob, with Flagged license CC-BY-SA-4.0 will be auto-ignored.

Security issues are scoped by the ignored CVE rather than the detected license violation

📘

TIP

We have added an ignored type filter to Ignored issue inboxes to quickly filter to auto-ignored issues.

Ending Auto-ignore

To end an auto-ignore rule, we must select any individual auto-ignored issue and unignore

🚧

Caution

Doing so will change the issue status of all auto-ignored issues for the selected package and project.

Issues Page

The UI has changed when accessing the details of a specific issue. To access the issue details, click the issue title.

The Issue page lists all the information to which you are accustomed based on the Issue type. For security this includes Vulnerable Dependency, Vulnerability Details, and Affected Projects.

📘

NOTE

You can now see other affected projects along with their statuses and associated tickets.