Vulnerabilities
Vulnerabilities are categorized as either "Reachable", "Unknown" or "Not reachable". To learn more about this categorization, see the Reports page.
From the Reports page, you have direct access to details about vulnerabilities detected in your project. The details include the CVSS score, severity, affected package name and version among other things. For more detailed information about each vulnerability, you can open the Vulnerability details, Analysis details and Fixes panes.
Vulnerability Details
The vulnerability details page contains information about the vulnerability advisory, such as the CVE, the name of the affected dependency, the severity and CVSS score and the affected versions.
Analysis Details
The analysis details pane contains information derived from the reachability analysis, including the list of source locations in the application code that either directly or indirectly (through other dependencies) use the code affected by the vulnerability. The pane also shows the dependency chain(s) leading to the vulnerable dependency, and a human-readable textual description of what the reachability analysis is scanning for.
Vulnerability Fixes
The "Vulnerability Fixes" pane provides details about available fixes and instructions on how to apply these fixes to your codebase using the Coana CLI.
To apply a fix, copy the generated command and paste it into the root directory of your project.
If the fix is outdated — for example, if your dependency tree has changed since the report was generated — Coana will terminate with an error.
To prompt Coana to regenerate the fix, add the --recompute-outdated
flag to the command.
If the vulnerability impacts multiple workspaces, Coana will provide an option to select which workspaces you want to apply the fix to.
Vulnerability Dismissal Action
From the Actions menu, you can choose "Dismiss..." to open the vulnerability dismissal window. The dismissal feature allows you to disregard vulnerabilities, which you have determined are not applicable to your project. For example, you can choose to dismiss a vulnerability if the vulnerable dependency is only used by an internal tool. Dismissals can either have an expiration date or be permanent. If you have enabled the Dependabot integration, you will also have to option of dismissing associated Dependabot alerts in GitHub.