Issues
Issues are automatically created by Plugins, Policies and the Source repository scanner when vulnerability or license compliance issues are found.
Issues for an individual packages are shown on package cards as seen below. Dashboards show the aggregated number of issues per severity level.
Issue details
Issues contain detailed information about a problem and allows you to track its progress.
Access a specific issue by clicking an issue badge, use a notifications link or find Issues with the link in the main menu.
Each issue has a unique numerical id and URL, making them easy to share and refer to in GitHub pull requests (or similar).
Issues have a Type, Title, Description, Status and Severity - all of which can be edited by users working on fixing the problem.
Activity log
Each issue has an timeline detailing its most important events. Allowing for easy review of the history of the problem and tracking of any progress towards issue remediation.
Users working on the issues can also add comments directly to the timeline.
The activity log includes status events like open and close of issue as well as package events for the issue (delete or pull of package version - closing or reopening the issue).
Links to related issues
Linked issues are available when an issue is mentioned in the comments. Simply write the issue id with a hash sign in front of the id: #<issue id>.
With an active GitHub integration GitHub issues can be linked in the same way by providing the issue URL in a mention. See Integration with GitHub issues.
Similar issues shows other issues caused by the same root cause. For instance issues created for a vulnerability found across multiple registries in a workspace.
Issue types
Issues are categorized into different types for easy identification. It is also a main filter option when finding and viewing issues.
| Type | Description |
|---|---|
| ADVISORY | Issue opened by Vulnerability scanner for package with known vulnerability from Bytesafe advisory database |
| LICENSE | Issue opened by License Compliance in accordance with a License Policy, unlicensed packages or unknown licenses |
| DEPRECATION | Issue opened by Deprecated packages plugin for packages with deprecation notices |
| UPSTREAM | Issue related to Upstreams. Usually indicates a configuration problem, but could also be a supply chain attack. E.g. packages found in multiple external upstreams, with non-matching contents. See Internal packages for more information. |
| USER | Issue opened by a user. |
Closing issues
An issue can have one the three statuses, OPEN, CLOSED or IGNORED.
Issues can be closed manually by changing the status on the issue details screen.
Issues are closed automatically when the root cause is removed, for example, when deleting a package causing the issue.
Difference between CLOSED and IGNORED
CLOSED issues will be re-opened whenever a problem resurfaces, e.g., when a deleted package is re-added to a registry.
Setting the status to IGNORED prevents the issue from automatically being re-opened.
In general CLOSED is used to signal that an issue has been “fixed”, and IGNORE that an issue “is not a problem for our use-case or organization”.
Finding issues
Issues have a dedicated section in the workspace main menu where you can list, search and filter among all issues across all registries in the workspace.
Issues can be filtered on status, type and severity for the issues as well as the related registry.
Notifications
Notifications enable users to stay up to date on current issues for the workspace and provide a direct link to the issue.
When a new issue is opened all active users in the workspace will receive a notification (see Notification settings). By default email and in-app notifications are enabled.
If the team has enabled the Slack integration the Slack channel will also receive updates.
Any user that updates an issue will be added as a Watcher and will receive notifications about any future updates.
Users can also add themselves as watchers from the issue details page by clicking on Watch on the issue details page.
Integration with GitHub
With an active GitHub integration Bytesafe issues can be linked with GitHub issues and pull requests.
You can link issues by including the full URL to a Bytesafe issue in the comment to a GitHub issue (or pull request).
Adding a comment to a Bytesafe issue, including the URL of a GitHub issue (or pull request) also works.
The GitHub bot
Bytesafes GitHub bot will automatically:
- Link issues on mentions (bidirectional)
- Notify GitHub Issues of Bytesafe Issue statues changes
- Update GitHub Issue with current state of Bytesafe Issue
- Update Bytesafe Issue with current status of GitHub Issue
Automation
You can automatically close linked Bytesafe issues when merging a GitHub pull request.
Include Fixes <Bytesafe issue URL> or Closes <Bytesafe issue URL> in the pull request description or commit message to close the issue automatically on merge.
