Overview
Use Packages to review dependency packages discovered from manifests across repositories. Package views help you answer where a dependency is used, which versions are present, which repositories contain it, and whether it has linked vulnerabilities or policy issues. Package versions are shown inside package details.When to use packages
- Find every repository or manifest using a package
- Compare direct and transitive usage
- Review package versions in use
- Check package and version licenses
- Review OpenSSF scorecard data when available
- Drill into active dependency vulnerabilities
- Manage package policy decisions or rules when policies are enabled
Package list
The Packages list shows package name, type, licenses, version count, OpenSSF score, active vulnerabilities, recent advisories, usage, repositories, first seen date, last updated date, policy status when policies are enabled, and row actions. Use the list to filter by:- Package type
- Package name
- Namespace
- Package URL
- Direct, transitive, or combined usage
- Whether vulnerabilities are present
- OpenSSF score
- Recent advisories
- License
- License status
Package detail view
Open a package to review:| Section | What it shows |
|---|---|
| Details | Package URL, type, namespace when available, name, first seen date, and package data sync time when available. |
| Licensing | License names, license IDs, OSI approval status, deprecated status, and links to license references when available. |
| OpenSSF Scorecard | Overall score and individual scorecard checks when scorecard data is available. |
| Package Versions | Versions observed in manifests, version licenses, package URLs, direct usage, transitive usage, total manifests, repositories, linked vulnerabilities, and first seen date. |
| Summary | Total versions, direct usage, transitive usage, total manifests, repositories, vulnerabilities, license count, OpenSSF score, and policy state when available. |
Usage drilldowns
Usage counts on package and package version details link to filtered views:| Count | Opens |
|---|---|
| Direct Usage | Manifests where the package or version appears as a direct dependency. |
| Transitive Usage | Manifests where the package or version appears as a transitive dependency. |
| Total Manifests | Manifests that reference the package or version. |
| Repositories | Repositories that contain manifests referencing the package or version. |
| Vulnerabilities | Active dependency vulnerabilities linked to the package or version. |
Package versions
Package versions show version-specific usage and vulnerability data. Use package versions to decide whether risk is tied to every use of a package or to specific versions. A package version can show a different license set from the package summary when Cysmiq has version-specific license data.Policy status
When package policies are enabled, the package detail page can show policy state in the summary and package version rows. Public status labels include:- Compliant
- Violation
- Needs review
- Exception