Skip to main content

Management of Packages

Notice

In the past, we have experienced unexpected delays in releasing this feature. We now plan to make it available in the coming months.

You can reduce noise in you system when you feel that a certain package (in the SCA results viewer) does not pose a threat or where there is no available fixed version of the package. This is done by changing the State of the package as needed. By default all packages are assigned the state Monitored. You can change the state to Muted so that the vulnerabilities associated with that package won’t be shown as risks to your project. You can also “Snooze” a package so that it is muted for a fixed period of time after which it will automatically revert back to being a regular monitored package.

Notice

When the designated snooze period ends, an auto-scan (i.e., automatic scan recalculation) is triggered in order to update the project data and risk counters to include data for the package that has been returned to Monitored state.

While viewing the Package Details page for a specific package, you can open a side panel by clicking on the State button on the header bar, with tabs for New Action (i.e., making changes to the state) and for viewing History of changes made.

Image_038.png

Changing the Package State

The package state can be modified based on your AppSec team's decision whether to have the package affect the project score or have it muted permanently or temporarily (snoozed).

  • Monitored (default) - vulnerabilities are displayed based on the risk score.

  • Muted - vulnerabilities associated with the package will permanently not be shown as risks to your project.

  • Snoozed - vulnerabilities associated with the package will be muted temporarily. It is required to choose a date for the snooze to expire.

Important

Only users with the roles update-package-state-mute and update-package-state-mute-if-in-group can mute packages.

Important

Only users with the roles update-package-state-snooze and update-package-state-snooze-if-in-group can snooze packages.

To change the package state:

  1. On the Projects page, hover over the Results button for the desired project and from the scanner drop-down click on SCA.

    Image_031.png
  2. On the Scan Results page, click on the Packages tab. The All Packages sub-tab is displayed.

  3. Click on a package to open the Package Details page for that package.

  4. In the tab's header bar, click on the State button (showing the current state).

    Image_029.png

    The Management of Packages panel opens.

    Image_032.png

    Note

    Alternatively, you can open the Management of Packages panel by clicking on the Comments button in the Customization section at the bottom of the Package Details page.

  5. To change the state, click on the State Change field, and select from the drop-down list the desired state.

    Note

    After changing the state, you are required to add a comment before the option to Approve the change becomes available.

  6. In the Add a Comment section, enter your comment.

  7. Click Approve.

    The new State is immediately shown in the web application. However, the package summary counters aren't recalculated until a new scan or scan recalculation is run on the project. Until the recalculation, a red dot will be displayed for the package indicating that recalculation is required.

Viewing Package Change History

Once a State change has been made, a red dot is shown next to the relevant Package. This indicates that you need to run a scan recalculation in order to update all of the result counters to reflect the change.

State changes are shown in the Package Details page. Muted packages will have a pink background for the header bar with a muted icon and Snoozed packages will have a yellow background for the header bar with a snoozed icon.

Image_035.png

In addition, a detailed history of all changes is shown in the Management of Risk panel > History tab. For each change that was made, the name of the user who made the change and the time of the change are shown. In addition, for state changes, the new state is shown alongside the previous state.

Image_034.png