Issues Overview

SourceClear Software Composition Analysis

Issues are the essential components of SourceClear which allow users to track and take action on vulnerabilities, out-of-date libraries, and software licensing concerns for a specific software project’s open-source libraries. Issues are unique to a specific project as well as the library and corresponding version. For example, the screenshot below corresponds to an issue within the srcclr/test-java-maven project for version 3.2.0.RELEASE of the spring-security-web library:

If this library is updated to a different version that also includes the same vulnerability, SourceClear creates a new issue that references the new version. The new issue automatically replaces the old issue because the older version is no longer in use. For example, in the screenshot below, the Issue ID number is different from the screenshot above because version 3.2.1.RELEASE of spring-security-web is being used:

View Issue Details

Because issues uniquely relate to a specific library and version, the details for an issue make it much easier to fix. Use the following steps to view the details of an issue:

  1. Go to the workspace for which you want to view issues and either select the Issues tab on the left navigation menu, or select the individual project for which you want to view issue details.
  2. In the list of issues, select the Issue ID link of the issue for which you want to see details.
  3. You are presented with the details of the issue, which could include library fix information for vulnerabilities, license details for license violations, as well as update information for out of date libraries.

Perform Action on Issues

Issues can be tracked within your issue tracking systems such as GitHub issues or Jira. If you determine an issue to be irrelevant or unimportant, you can also choose to ignore it so that subsequent scans do not display the issue despite the library still existing in your repository.

To take action on an issue:

  1. From the relevant workspace, either select the Issues tab on the left navigation menu, or select the individual project with issues you want to take action on.
  2. After clicking the Project or Issues tab, you see a list of issues, which you can filter by specifying an issue type, severity, issue status, or various other attributes using the checkboxes at the top of the issue list. To take action, select the checkbox next to the issue and click the green Actions button.
  3. You now have the option to either ignore the issue to prevent it from appearing in subsequent scans, or select an issue tracker which you have integrated with to send the data from SourceClear.

What Are Vulnerabilities?

Vulnerabilities represent the set of security concerns across a project or workspace. Unlike issues of type Vulnerability, SourceClear counts each vulnerability only once within the context of a workspace, even if the same library and corresponding vulnerabilities exist across multiple projects. Also, you cannot ignore vulnerabilities, which means the number of vulnerabilities could be greater than the number of issues of type Vulnerability.

View Vulnerability Details

Viewing vulnerability details allows you to view information across all versions of a specific vulnerability, such as libraries in which SourceClear has found it.

To view vulnerability details:

  1. From the relevant workspace, select either the Vulnerabilities tab on the left navigation menu or select the individual project with vulnerabilities you want to view details for.
  2. In the list of vulnerabilities, select the Vulnerability link for a given issue:

  3. Clicking this link takes you to the SourceClear Vulnerability Database where you can view the vulnerability details in the left navigation menu.

What Are Licenses?

Licenses consist of the software license information associated with each open-source library in use. SourceClear maintains license information by keeping in sync with the open-source library repositories mentioned above. This information can help you avoid issues relating to copyleft licenses or keep track of the licenses in use across a set of libraries.