Issues Overview

SourceClear Software Composition Analysis

Issues are the essential components of SourceClear which allow users to track and take action on vulnerabilities, out-of-date libraries, and software licensing concerns for a specific software project’s open-source libraries. Issues are unique to a specific project as well as the library and corresponding version. For example, the screenshot below corresponds to an issue within the srcclr/test-java-maven project for version 3.2.0.RELEASE of the spring-security-web library:

If this library is updated to a different version that also includes the same vulnerability, SourceClear creates a new issue that references the new version. The new issue automatically replaces the old issue because the older version is no longer in use. For example, in the screenshot below, the Issue ID number is different from the screenshot above because version 3.2.1.RELEASE of spring-security-web is being used:

View Issue Details

Because issues uniquely relate to a specific library and version, the details for an issue make it much easier to fix. Use the following steps to view the details of an issue:

  1. Go to the workspace for which you want to view issues and either select the Issues tab on the left navigation menu, or select the individual project for which you want to view issue details.
  2. In the list of issues, select the Issue ID link of the issue for which you want to see details.
  3. You are presented with the details of the issue, which could include library fix information for vulnerabilities, license details for license violations, as well as update information for out of date libraries.

Perform Action on Issues

Issues can be tracked within your issue tracking systems such as GitHub issues or Jira. If you determine an issue to be irrelevant or unimportant, you can also choose to ignore it so that subsequent scans do not display the issue despite the library still existing in your repository.

To take action on an issue:

  1. From the relevant workspace, either select the Issues tab on the left navigation menu, or select the individual project with issues you want to take action on.
  2. After clicking the Project or Issues tab, you see a list of issues, which you can filter by specifying an issue type, severity, issue status, or various other attributes using the checkboxes at the top of the issue list. To take action, select the checkbox next to the issue and click the green Actions button.
  3. You now have the option to either ignore the issue to prevent it from appearing in subsequent scans, or select an issue tracker which you have integrated with to send the data from SourceClear.

What Are Vulnerabilities?

Vulnerabilities represent the set of security concerns across a project or workspace. Vulnerabilities differ from issues of type Vulnerability because each vulnerability is only counted once within the context of an entire workspace, even if the same library and corresponding vulnerabilities exist across multiple projects. In addition, vulnerabilities cannot be ignored, which means the number of vulnerabilities could be greater than the number of issues of type Vulnerability.

View Library Details

Viewing vulnerability details allows you to collect a wide variety of information. This information includes vulnerable version ranges for the library in question, other libraries which might be subject to the vulnerability, as well as resources for finding more information. To view additional details:

  1. Go to the relevant workspace, and select either the Libraries tab on the left navigation menu or select the individual project with libraries for which you want to view the details.
  2. In the list of libraries, select the Library link for a given issue.

  3. Clicking this link takes you to the SourceClear Vulnerability Database where you can view the vulnerability details by using the left navigation menu.

What Are Libraries?

Libraries represent each open-source library that SourceClear has identified within a code project. SourceClear maintains a database which is in sync with the following open-source library repositories:

View Library Details

Viewing library details allows users to view information across all versions of a specific open-source library such as vulnerabilities associated with different versions of a library. You can view these details by following these steps:

  1. From the relevant workspace, select either the Vulnerabilities tab on the left navigation menu or select the individual project with vulnerabilities you want to view details for.
  2. In the list of vulnerabilities, select the Vulnerability link for a given issue:

  3. Clicking this link takes you to the SourceClear Vulnerability Database where you can view the library details by using the left navigation menu.

What Are Licenses?

Licenses consist of the software license information associated with each open-source library in use. SourceClear maintains license information by keeping in sync with the open-source library repositories mentioned above. This information is useful for users who want to avoid issues relating to copyleft licenses or keep track of the licenses in use across a set of libraries.