Modern application development is often fueled by both a heavy reliance on open source software components — and frequent revisions to the application itself.
One of the challenges that can come with complex, fast-moving development is staying on top of new issues introduced in new versions — plus how your software’s risk posture evolves over time.
That’s why FOSSA built Issue Diffs: a new feature that makes it easy to compare licensing, security, and quality issues between software revisions. Distinguish between newly introduced and existing vulnerabilities, get a snapshot of remediation efficiency, ensure software suppliers are meeting their SLAs, and more.
This blog will dive into Issue Diffs, with a focus on the use cases it supports along with step-by-step instructions on using the feature.
Benefits of Issue Diffs
Issue Diffs is a feature built around comparing different issues on a given revision. You can view licensing, security, or quality issues associated with any type of project (container, SBOM, binary, repo, etc) — and compare the current issues for the selected revision against any previous one.
This provides a snapshot of the number of issues that have been remediated since the selected revision, the number of new issues, and the number of unchanged issues.
This capability provides FOSSA users with several important benefits:
Vulnerability Prioritization
There are many standardized vulnerability frameworks and scoring systems, such as EPSS and CVSS, to name a few. Security teams often integrate these metrics when building vulnerability prioritization workflows.
Issue Diffs offers an additional option alongside traditional prioritization inputs: the ability to focus only on newly introduced vulnerabilities. This is a helpful tool for the many teams that are drowning in CVE overload.
Additionally, you can see full issue context — such as CVSS, EPSS, CISA Kev List inclusion, and fixes — directly from the Issue Diffs view. You can also filter and prioritize issues from this page.
Risk Posture and Remediation Assessment
Issue Diffs provides data and reporting to help teams track their risk posture over time. Security teams can see vulnerability trends from revision to revision. Engineers focused on remediation can highlight the number of issues they’ve closed since the project’s last revision (and the pace at which those issues have been fixed). And IP counsel can get a big-picture view of their organization’s license compliance risk from revision to revision.
Supplier Risk Management
Issue Diffs are available for all types of projects, including supplier-provided SBOMs. In the SBOM scenario, Issue Diffs treats each import as a revision, allowing for an easy side-by-side comparison. This helps you verify that your suppliers are fixing the issues that you flagged — and, of course, ensure that the supplier doesn't introduce new vulnerabilities.
How to Use Issue Diffs
You can get started with FOSSA Issue Diffs by navigating to a project in your FOSSA app. Once you’re on the project page, you’ll see a summary of the licensing, security, and quality issues associated with your latest revision.
As a reminder, FOSSA logs issues based on the policies you set within our app. For example, if you add GPL v2 to your “deny” list — but we detect a GPL v2 license in a scan — we’ll report an issue against it. The same applies to a security vulnerability above the CVSS threshold you set, and so on.
Next, pick a category of issues — licensing, security, or quality — to see how the posture of your latest revision compares to any previous revision. The screenshot below shows an example of how licensing issues compare in v1.3 of our project to v1.0.
The “Issues” section on the left side of the page highlights any new issues in the selected revisions, the number of issues that have been remediated, and the number of issues that are unchanged. The rest of the page provides the context you need to filter and prioritize issues; the details on this page mirror what FOSSA users see on the Issues Page itself in our app's UI.
A typical Issue Diffs workflow might look something like:
- A developer resolves issues by updating vulnerable packages and then commits that revision.
- FOSSA is tightly integrated with the build process, so the revision triggers a fresh scan.
- Once the issue scan is done, you’re able to compare the newest revision with the previous revision (or any prior revision).
- You now have a direct, one-to-one comparison from revision to revision, to see how issues are changing and being resolved, and if any new ones are introduced.
It’s also important to note that Issues Diffs respects issues that you’ve previously ignored, so you won’t have to worry about those appearing in your Issue Diffs view.
Bringing Issue Diffs to Your Organization
The Issues Diffs feature is now generally available to all FOSSA customers. As previously mentioned, you can take advantage of the feature by navigating to the Issues page within one of your projects.
If you’re a current FOSSA customer and have questions about Issue Diffs, please feel free to reach out to our customer success contact. If you aren't a current FOSSA user but are interested in trying the feature, please get in touch with our team.