Analyzing vulnerabilities in SourceCraft repository dependencies
SourceCraft features dependency analysis (Software Composition Analysis, SCA) for dependencies used in repositories.
SCA is a set of tools offering insights on dependencies used in the software development process and known vulnerabilities in them.
SCA automatically builds a Software Bill of Materials (SBOM) – a list of all the project's dependencies including transitive ones – and cross-references them with current CVE databases. A CVSS vector is also defined for each dependency to more accurately process the vulnerability and prioritize fixes.
To view vulnerabilities detected in repository dependencies:
-
Open the SourceCraft home page.
-
On the Home tab, navigate to Repositories and select a repository.
-
Under Security on the repository page, navigate to Dependencies.
The list of vulnerabilities shows the last detection date.
To download a SBOM (Software Bill of Materials) file in SPDX format for audit or integration with external systems, click Download SBOM.
Tip
In the filter row, you can filter vulnerabilities by status (Open, Solved, and False positive) and severity (Critical, High, Medium, and Low).
Also, you can sort dependencies by status or severity.
-
To view information about a specific vulnerability, select it from the list.
For each vulnerability found, the following information will be provided:
- CVE ID, package name and current version.
- CVSS vector and vulnerability severity level.
- Color code of the detected issue's severity level.
- Incident status: Open or Resolved.
- False positive mark (if any).
Under Activity, you can view the history of events for a specific vulnerability in the repository: when the warning was opened, who and when marked it as resolved or reopened it.
-
To mark an incident as resolved, follow these steps:
- Next to the incident, click Resolved.
- Add a comment for the incident.
- Optionally, mark the incident as a false positive.
- Click Resolve.
-
To reopen an incident, click Reopen next to it.