If SOOS has identified an issue that you want to address in the future, or your team has determined it is not something that will be addressed, that issue can be suppressed to remove it from the New Issues or Pending Issues list. (See the note at the end of this article regarding suppressing from the Pending list.)
When issues are suppressed and are removed from the New or Pending Issues list they are also excluded from the Issue count metrics seen at the top of the Dashboard. The metrics are also adjusted if an issue is un-suppressed and rejoins the New Issues list - look for the icon on the dashboard indicating the presence of suppressed issues.
- Select the Suppress icon for the issue of interest.
Note - The following fields are required and must be completed as accurately as possible due to the fact that the entries map directly to VEX information reflected in SBOMs and/or VEX documents generated for your project. - The user choosing to suppress the issue will be listed in the Suppressed By field, this cannot be changed.
- If the issue is being suppressed because it has been deemed a False Positive, check the corresponding box.
- Indicate an appropriate Suppression Justification to describe why the decision was made to suppress the issue.
- Indicate the Course of Action for handling the suppressed issue.
- Enter any additional Suppression Details to support the decision to suppress the issue.
- Use the Scope dropdown to select how extensively this CVE should be suppressed.
- Select Suppress to complete the action.
A suppressed issue will remain suppressed indefinitely unless a user takes action to un-suppress it. If this occurs, the issue will reappear on the New Issues list. Read here about locating your suppressed issues.
Once the issues have been suppressed SOOS will immediately initiate a re-scan of the project. When the scan is complete the suppressed issue(s) will be removed from the vulnerability stats in the dashboard on the Project Detail Page, and the Suppressed Issues icon will display an indicator of the count of issues that have been suppressed in the project. Suppressed issues will also be removed from statistics on the main Developer Dashboard.
A note about suppressing Pending issues:
When a fix ticket is submitted to an integrated Issue Management System (see Researching your Issues) or a Pull Request is generated, it will be located in the Pending Issues list and will display a link to access the generated fix ticket and/or pull request.
If a pending issue is suppressed, when the issue is moved to the Suppressed Issues list, the link to the fix ticket and/or pull request will be removed.
SOOS does not change the status of the pull request or fix ticket in the Issue Management System or GitHub, it is up to the user suppressing the issue to update the status.