Analyzing vulnerabilities in SourceCraft repository dependencies

SourceCraft features dependency analysis (Software Composition Analysis, SCA) for dependencies used in repositories.

SCA is a set of tools offering insights on dependencies used in the software development process and known vulnerabilities in them.

SCA automatically builds a Software Bill of Materials (SBOM) – a list of all the project's dependencies including transitive ones – and cross-references them with current CVE databases.

To view vulnerabilities detected in repository dependencies:

1. Open the SourceCraft home page.

2. On the Home tab, navigate to Repositories and select a repository.

3. Under Security on the repository page, go to Dependencies.

   The list of vulnerabilities shows the last detection date.

   To download SBOM in SPDX format, click Download SBOM.

4. To view information about a specific vulnerability, select it from the list.

   For each vulnerability found, the following information will be provided:

   • CVE ID, package name and current version.
   • Color code of the detected issue's severity level.
   • Incident status: Open or Resolved.
   • False positive mark (if any).

5. To mark an incident as resolved, follow these steps:

   1. Next to the incident, click Resolved.
   2. Add a comment for the incident.
   3. Optionally, mark the incident as a false positive.
   4. Click Resolve.

6. To reopen an incident, click Reopen next to it.

See also

• Security in SourceCraft
• Secret Scanning in a SourceCraft repository