Researching and Identifying Fixes

SCA, SBOM, and Container scans will all have a package references section showing the source file (such as a manifest), and the package or packages where the issue was detected.

The package reference shown is the actual package introducing the issue, and may not be the direct dependency.

When viewing the issues, Vulnerability Issues, Dependency Typo Issues, and Dependency Substitution Issues may have available fixes and will display a 'fix' icon (a green wrench and screwdriver). Vulnerabilities which are identified as 'exploitable' will be shown with an exploitability icon (a red shield with an explanation mark).

SOOS detects fixes by following the version syntax rules for the selected package manager. Following these rules, SOOS will locate any newer package versions which are free of vulnerabilities and satisfy the version syntax for all packages in the introduction path (this means the versions shown will not only fix the vulnerability that was found, but also will not introduce some other vulnerability and follow SemVer versioning rules).

If available updates are found, they will show in the Fix section. See Creating Tickets & Pull Requests for more information on applying fixes.

Because of the complexity in calculating new sub-trees and following SemVer rules, there are cases when a direct dependency cannot be upgraded to fix a transitive dependency issue. Even for some direct dependencies with issues (or package managers that support transitive dependency updates), there may not be a newer version available to upgrade to. In these cases SOOS will display a message indicating the inability to find a suitable upgrade.

In these cases a ticket may still be created, but it will not have upgrade details. Alternatively, use the Issue Suppression and Attestation workflows to temporarily, or permanently, suppress the issue.