In the Configure page of the SOOS app, you have the opportunity to identify your company's internal package naming convention, also known as a Package Mask.

  • Package masks help SOOS identify your internally developed packages when SCA scans are performed.  Adding package masks helps SOOS link together projects and avoid gaps when generating dependency trees by ensuring that your internal packages are not shown as 'unknown' packages within the dependency tree.
  • More importantly,  it helps to warn you about Dependency Substitution attacks where a malicious actor may try to publish a public package with the same name as your internal packages.

Define your packages settings


If your projects use different package masks, you can configure this by setting distinct project-level package masks. Read here about configuring project settings.

In the Dependencies tab, packages with package IDs matching listed package masks will be identified in the dependency tree using the following icon:

Internal package icon displayed on dependency tree