Issues

Track problems found in your registries and their remediation

Issues are automatically created by Plugins and Policies when vulnerability or license compliance issues are found.

Issues for an individual packages are shown on package cards as seen below. Dashboards show the aggregated number of issues per severity level.

Screenshot Package Card Screenshot Package Card

Issue details

Issues contain detailed information about a problem and allows you to track its progress.

Access a specific issue by clicking an issue badge, use a notifications link or find Issues with the link in the main menu.

Each issue has a unique numerical id and URL, making them easy to share and refer to in GitHub pull requests (or similar).

Issues have a Type, Title, Description, Status and Severity - all of which can be edited by users working on fixing the problem.

Screenshot Issues Details

Activity log

Each issue has an timeline detailing its most important events. Allowing for easy review of the history of the problem and tracking of any progress towards issue remediation.

Users working on the issues can also add comments directly to the timeline.

The activity log includes status events like open and close of issue as well as package events for the issue (delete or pull of package version - closing or reopening the issue).

Activity log

Linked issues are available when an issue is mentioned in the comments. Simply write the issue id with a hash sign in front of the id: #<issue id>.

linked issue in comment

With an active GitHub integration GitHub issues can be linked in the same way by providing the issue URL in a mention. See Integration with GitHub issues.

linked GitHub issue in comment

Similar issues shows other issues caused by the same root cause. For instance issues created for a vulnerability found across multiple registries in a workspace.

Issue types

Issues are categorized into different types for easy identification. It is also a main filter option when finding and viewing issues.

Type Description
ADVISORY Issue opened by Vulnerability scanner for package with known vulnerability from Bytesafe advisory database
LICENSE Issue opened by License scanner for unlicensed packages, custom licenses or unknown licenses
DEPRECATION Issue opened by Deprecated packages plugin for packages with deprecation notices
UPSTREAM Issue related to Upstreams. Usually indicates a configuration problem, but could also be a supply chain attack. E.g. packages found in multiple external upstreams, with non-matching contents. See Internal packages for more information.
USER Issue opened by a user.

Closing issues

An issue can have one the three statuses, OPEN, CLOSED or IGNORED.

Issues can be closed manually by changing the status on the issue details screen.

change issue status

Issues are closed automatically when the root cause is removed, for example, when deleting a package causing the issue.

Difference between CLOSED and IGNORED

CLOSED issues will be re-opened whenever a problem resurfaces, e.g., when a deleted package is re-added to a registry.

Setting the status to IGNORED prevents the issue from automatically being re-opened.

In general CLOSED is used to signal that an issue has been “fixed”, and IGNORE that an issue “is not a problem for our use-case or organization”.

Finding issues

Issues have a dedicated section in the workspace main menu where you can list, search and filter among all issues across all registries in the workspace.

Screenshot Issues List

Issues can be filtered on status, type and severity for the issues as well as the related registry.

Notifications

Notifications enable users to stay up to date on current issues for the workspace and provide a direct link to the issue.

When a new issue is opened all active users in the workspace will receive a notification (see Notification settings). By default email and in-app notifications are enabled.

If the team has enabled the Slack integration the Slack channel will also receive updates.

slack-new-issue-notification

Any user that updates an issue will be added as a Watcher and will receive notifications about any future updates.

Users can also add themselves as watchers from the issue details page by clicking on Watch on the issue details page.

Integration with GitHub

With an active GitHub integration Bytesafe issues can be linked with GitHub issues and pull requests.

Bytesafe integration bot when linked with a GitHub Issue

You can link issues by including the full URL to a Bytesafe issue in the comment to a GitHub issue (or pull request).

Github comment with bytesafe mention

Adding a comment to a Bytesafe issue, including the URL of a GitHub issue (or pull request) also works.

The GitHub bot

Bytesafes GitHub bot will automatically:

  • Link issues on mentions (bidirectional)
  • Notify GitHub Issues of Bytesafe Issue statues changes
  • Update GitHub Issue with current state of Bytesafe Issue
  • Update Bytesafe Issue with current status of GitHub Issue

Automation

You can automatically close linked Bytesafe issues when merging a GitHub pull request.

Include Fixes <Bytesafe issue URL> or Closes <Bytesafe issue URL> in the pull request description or commit message to close the issue automatically on merge.

Closing Bytesafe issue on merge of GitHub PR