What are they?

When compromised open source code packages are discovered by software developers and other members of the cybersecurity commuity, they are reported as vulnerabilities and given a CVE identification.  CVE records are added to a number of publicly accessible vulnerability databases, such as the National Vulnerability Database (NVD) and GitHub Issues.  When SOOS performs an SCA scan of your package manifests, it compares your packages to packages listed in these databases.  If there are matches, SOOS reports these to you as vulnerabilities.

How does that affect my code?

Vulnerabilities can open your code and your users to various attacks, including remote code execution, data access, compromised systems, and more.

What can I do about it?

Vulnerabilities can often be fixed by updating to a newer version of the vulnerable package following the fix recommendations provided included in the Vulnerability issue details displayed in the SOOS app.