Once you've identified that a project includes issues, you will want to investigate those issues to determine a course of action. 

 

  • From the SOOS Developer Dashboard, select any project displaying issues to access the full list of issues identified.
  • Locate the issue you want to address and click to expand the issue details.
  • When researching an issue for an SCA scan, you will be given the following information:
    • Identity of the issue (with 'exploitable' and 'fixes available' indicators if applicable)
    • When and where the issue was identified
    • When the vulnerability will be out of compliance if it isn't fixed in the designated amount of time
    • The severity of the issue
    • In which package and manifest the issue was identified 
      • Including direct links to the Dependency tab
    • A Research button linking to the Vulnerability Detail page to learn more about the identified vulnerability.
      • Vulnerability Detail pages are available only for CVE vulnerabilities.  Policy violations, typos, and substitutions all display a list of reference links for further research.
    • The recommended solution for mitigation and details needed to make the recommended fix.
  • DAST scan issue details will display the following for each web vulnerability:
    • CWE associated with the vulnerability
    • When and where the issue was identified
    • The severity of the issue
    • A list of references providing additional information about the web vulnerability
    • The recommended solution for mitigation
    • In which endpoints within the application the vulnerability is found.
    • Evidence and parameter values
    • Request and response headers 
    • The curl command to reproduce the request
      DAST web vulnerability issue detail view
  • Suppressing an issue allows you to remove issues from the Open Issues that do not need to be immediately remediated. Read more about Suppressed Issues here.
  • Depending on your third party integrations, tickets can be created in JIRA, Azure DevOps, or GitHub, and/or pull requests can be sent to GitHub. 

Refer to our Fixing your issues article for more about creating fix tickets and pull requests.