Before starting the process of fixing your issues, you may want to first research your issues to determine an appropriate course of action. 

When viewing the Project Detail page, Vulnerabilities, Dependency Typos, and Dependency Substitutions with available fixes will display a 'fix' icon.  Vulnerabilities that are identified as 'exploitable' will be shown with an exploitability icon.

Vulnerabilities with exploitable and available fix icons

By integrating with Jira, Azure DevOps, Shortcut, or GitHub, SOOS can generate fix tickets and/or pull requests for your team to triage and implement at their own discretion. 

A Create Ticket button will be available at the bottom of the issue detail view for accounts integrated with Jira, Azure DevOps, Shortcut, or GitHub.  A Create Pull Request button will also be available if the account is integrated with GitHub. These buttons will be visible but unavailable to click when an integration has not been completed.

Vulnerability issue detail with create ticket and create pull request buttons

  1. Use the Syntax dropdown to select either Update or Manifest. SOOS will provide fix information using the syntax that corresponds with the format that was selected.
  2. Select the desired package version to include in the fix information.

To create a fix ticket

  1. To push fix information to an integrated issue management system select Create Ticket.  
  2. SOOS will display the Title and Description contents for the ticket to be submitted.  Notice the fix information following the chosen syntax is included.  Both the title and description can be edited by the user to enhance or modify the information that will display in the ticketing system.
  3. Select Create when complete.

    • For GitHub integrations only - If both a fix ticket and pull request are desired  select the Create Pull Request checkbox at the bottom of the window to perform both actions together.

Create fix ticket window

Note:
  • Some issues may not have a vulnerability-free package version available to implement.  SOOS will indicate when this occurs and will not include the Syntax selection option.  
    • A ticket may still be created to allow developers to research and fix independently.
      Vulnerability issue detail with no available fix
  • DAST web vulnerabilities will also not include the Syntax selection, but will provide recommend actions to take to correct the identified vulnerability, and will allow a ticket to be created for developers to follow-up on (if integrated)Web Vulnerability issue detail

To create a pull request

  1. To send a pull request to GitHub , independent of a fix ticket, select Create Pull Request.
  2. SOOS will automatically create a pull request in GitHub and display the following message to indicate a successful pull request generation.  Read our GitHub Pull Requests article for details about this feature.
    Successful pull request creation message

Keeping track of pending fixes

  1. Once a ticket or pull request is created, it will get moved to the Pending list.  The issue will now display a link that can be used to view the corresponding ticket and/or pull request. (Note the example below does not have an associated pull request.)

  2. The next time SOOS runs a scan and no longer finds the issue, it will be moved to the Resolved Issues list.

Move Pending issues back to Unaddressed

  1. Users may wish to move pending issues back to the Unaddressed list for a number of reasons.  To do this, select the corresponding button seen at the bottom of any issue in the Pending list. 
    Note: This will break the link with the issue tracking ticket, but will not delete it from the issue tracking system.
    If a linked ticket has been accidentally deleted from the issue tracking system, use this process to move the issue back to the Pending list, and follow the process outlined above to create a new fix ticket.