If SOOS has identified an issue that you want to address in the future, or your team has determined it is not something that will be addressed, that issue can be removed from the Unaddressed or Pending list by attesting it.  (See the note at the end of this article regarding attesting from the Pending list.)

When issues are attested and are removed from the Unaddressed or Pending Issues list they are also excluded from the Issue count metrics seen at the top of the Dashboard.  

  1. Select the Attest icon for the issue of interest.

    Note - The following fields are required and must be completed as accurately as possible due to the fact that the entries map directly to VEX information reflected in SBOMs and/or VEX documents generated for your project.

  2. The user choosing to suppress the issue will be listed in the Attestation By field, this cannot be changed.
  3. If the issue is being suppressed because it has been deemed a False Positive, check the corresponding box.
  4. Indicate an appropriate Attestation Justification to describe why the decision was made to attest the issue. 
  5. Indicate the Course of Action for handling the attested issue.
  6. Enter any additional Attestation Detail to support the decision to attest the issue.
  7. Use the Scope dropdown to select how extensively this CVE should be attested.
  8. Select Attest to complete the action.

An attested issue will remain suppressed indefinitely unless a user takes action to remove the attestation. If this occurs, the issue will reappear on the Unaddressed list.  Read here about locating your attested issues.

A toaster message will confirm the issue attestation.  Rescan the project to recalculate the project metrics and remove the attested issue from the issue count. 

 

A note about attesting Pending issues:
When a fix ticket is submitted to an integrated Issue Management System (see Researching your Issues) or a Pull Request is generated, it will be located in the Pending list and will display a link to access the generated fix ticket and/or pull request. 

If a pending issue is attested, when the issue is moved to the Attested list the link to the fix ticket and/or pull request will be removed. 

SOOS does not change the status of the pull request or fix ticket in the Issue Management System or GitHub, it is up to the user attesting the issue to update the status.