Vulnerability Issues

When compromised open source code packages are discovered by software developers and other members of the cybersecurity community, they are reported as vulnerabilities and given a vulnerability identifier (typically a Common Vulnerability Enumeration or CVE). CVE records are added to a number of publicly accessible vulnerability databases, such as the National Vulnerability Database (NVD) and GitHub Advisory Database. During an SCA, SBOM, or Container scan, SOOS compares the packages that are identified against numerous vulnerability databases, including NVD, GitHub, and many more. If there are matches, SOOS reports these to you as vulnerabilities.

Vulnerability issue details include the name and version of the package which introduced the vulnerability, a link to research the vulnerability, the manifest or location where the vulnerability was introduced, as well as potentially newer version to upgrade to.

Vulnerabilities can open your code and your users to various attacks, including remote code execution, data access, compromised systems, and more.

Vulnerabilities can often be fixed by updating to a newer version of the vulnerable package following the fix recommendations included in the Vulnerability issue details displayed in the SOOS app. Creating Tickets & Pull Requests contains more information about selecting and applying fixes.