Application security, engineering, and legal teams use open source policies to manage risk across their organization. For example, a security team may have a policy to prioritize vulnerabilities based in part on CVSS score or EPSS score. A legal team may have a blanket policy preventing engineers from using AGPL-licensed code. And so on. Policies are an effective broad brush to make sure the right rules are being followed across the organization.
However, there are also scenarios where teams may choose to add exceptions to these policies. The ability to handle situations such as when a high-severity vulnerability is detected, but additional analysis confirms that it’s not in the affected code path (or when a fix version is not available) ensures remediation resources are directed toward the most impactful issues.
These exceptions often fall into two categories: permanent and temporary.
- Permanent: The given issue never needs to be addressed.
- Temporary: The issue should be addressed, but remediation can be delayed (e.g. it should be on a different timeline from the normal SLA for the given issue).
FOSSA’s Time-Based Ignore Rules are built for the temporary exception scenario — to enable organizations to operationalize exception programs by ignoring security, license compliance, or quality issues for pre-defined periods of time. Time-Based Ignore Rules essentially act as a prioritization override to help teams ensure they’re focusing remediation on the most business-critical issues on an ongoing basis.
In this blog, we’ll explore how the feature works and how to get started with it.
Using FOSSA Time-Based Ignore Rules
Time-Based Ignore Rules are available to all FOSSA business and enterprise tier users.
Here’s how to create them:
Creating a New Time-Based Ignore Rule
- Get started by navigating to the “Issues” tab in the header of the FOSSA UI. Then, select either “Licensing,” “Security,” or “Quality” depending on the type of Ignore Rule you’d like to add.
- Once you land on your choice of Issue page, click on the “Ignore Rules” button in the top right corner. This will take you to your list of Ignore Rules for your selected issue type.
- Click the “Add Ignore Rule” button in the top right corner of the page.
- Set the Ignore Rule reason and scope.
- Add the details of your Time-Based Ignore Rule — you’ll click the “When does it expire?” dropdown to communicate the specific duration. (You can also click “Never” if you don’t want the Ignore Rule to expire.)
- Apply the rule by clicking "Ignore.”
Note that you can apply Time-Based Ignore Rules to multiple issues at once using bulk actions. By multi-selecting a group of issues, a Time-Based Ignore Rule can be created and applied to the group of Issues from the Issues page.
Editing an Existing Ignore Rule
If you have a Time-Based Ignore Rule set up and you navigate to the Rules page, you can click on the clock icon to extend the rule.
When a Time-Based Ignore Rule is in effect, you will not see the associated Issue in scans or reports.
A Time-Based Ignore Rule will automatically be removed on the day after its expiration date. At that point, any issues that were ignored only by that specific rule will become visible again in your scans and reports.
Get Started with Time-Based Ignore Rules
In cases where a team or organization needs to create exceptions to security, license compliance, and/or quality policies — but doesn’t want those exceptions to last indefinitely — Time-Based Ignore Rules offer a straightforward and effective solution.
If you’re a current FOSSA business or enterprise tier user and have questions or would like more information about Time-Based Ignore Rules, please reach out to your customer success contact. If you aren’t a current FOSSA business or enterprise user, please get in touch with our team.
You can also view our documentation for more information on this feature.