SOOS Issues
Researching and Identifying Fixes
6min
researching specific issue types vulnerability issues docid\ vfanhp9x88i35sxexiuox violation issues docid\ zigjfz51oxmmrjr5ccdbi web vulnerability (dast) issues docid\ l ty1xqcyiasbno p8r5a code (sast) issues docid\ rq3x2ahgcbxx4k9kuwaxt dependency substitution issues docid\ rbevq9auzz c1w6bdeu4e unknown package issues docid\ deyoheglembkeb0tv1jfj dependency typo issues docid\ fltnulnpkdv muzjmg76l package references sca, sbom, and container scans will all have a package references section showing the source file (such as a manifest), and the package or packages where the issue was detected the package reference shown is the actual package introducing the issue, and may not be the direct dependency to view the direct dependency (and the full introduction path(s)) click the package to view it in the dependencies docid\ be8f0qf1uzile5jiwmo7 sca, sbom, & container issues with fixes when viewing the issues, vulnerability issues docid\ vfanhp9x88i35sxexiuox , dependency typo issues docid\ fltnulnpkdv muzjmg76l , and dependency substitution issues docid\ rbevq9auzz c1w6bdeu4e may have available fixes and will display a 'fix' icon (a green wrench and screwdriver) vulnerabilities which are identified as 'exploitable' will be shown with an exploitability icon (a red shield with an explanation mark) issues with fixes and/or exploitable soos detects fixes by following the version syntax rules for the selected package manager following these rules, soos will locate any newer package versions which are free of vulnerabilities and satisfy the version syntax for all packages in the introduction path (this means the versions shown will not only fix the vulnerability that was found, but also will not introduce some other vulnerability and follow semver versioning rules) for package managers like npm, where translative dependencies cannot be directly updated soos will calculate a new sub dependency tree that is free of any vulnerabilities (for any package in the tree), all the way up to the direct dependency soos will also calculate these new sub trees for any introduction path for the transitive dependency, which often means upgrading multiple direct dependency packages if available updates are found, they will show in the fix section see creating tickets & pull requests docid\ nciuaesesmhdpuaddbfk4 for more information on applying fixes fix (newer versions) are available sca, sbom, & container issues without fixes because of the complexity in calculating new sub trees and following semver rules, there are cases when a direct dependency cannot be upgraded to fix a transitive dependency issue even for some direct dependencies with issues (or package managers that support transitive dependency updates), there may not be a newer version available to upgrade to in these cases soos will display a message indicating the inability to find a suitable upgrade in these cases a ticket may still be created, but it will not have upgrade details alternatively, use the creating issue suppressions & attestations docid\ inbrolrzqnfvkihn08fnd workflows to temporarily, or permanently, suppress the issue for npm specifically, when no transitive upgrade path is found, soos will indicate that a package override may fix the issue, but will warn that doing so may introduce compatibility issues