Remediate package dependency vulnerabilities with Secure Coder

Edit online

Use IBM Concert Secure Coder in the browser to investigate package dependency vulnerabilities, review remediation recommendations, and generate pull requests with recommended fixes.

Before you begin

Ensure that:
  • Secure Coder is enabled in IBM Concert.
  • You have access to Secure Coder in the browser. For more information, see Access Secure Coder in the browser.
  • You have a valid IBM Bobshell API key.
  • Your personal access token (PAT) has read and write access to the target repository.
  • Vulnerability findings and remediation actions are available in IBM Concert.
  • You have access to the repository that is associated with the remediation action.

Procedure

  1. Open Secure Coder in the browser.
  2. Start a remediation session.
  3. Select the remediation action that you want to review.
  4. Review the repository and vulnerability information.

    Secure Coder clones the repository that is associated with the selected remediation action and prepares a workspace for analysis and remediation activities.

  5. Review the remediation plan.
    Secure Coder analyzes the repository and vulnerability information and generates a remediation plan that can include:
    • Recommended dependency upgrades
    • Risk considerations
    • Potential impacts
    • Compatibility considerations
    • Additional remediation recommendations
  6. Review the proposed remediation plan and recommended changes.
  7. Execute the remediation.

    Secure Coder creates a remediation branch, applies the recommended dependency updates, and performs validation activities.

  8. Review the validation results.

    Verify that the proposed changes address the identified vulnerabilities and do not introduce unexpected issues.

  9. Generate a pull request.
    Secure Coder commits and pushes the remediation changes and creates a pull request that includes:
    • A summary of the implemented fixes
    • Validation results
    • Information about the remediated vulnerabilities
    • Additional remediation recommendations, when applicable
  10. Review the generated pull request and follow your organization's standard review and approval process

Results

The remediation changes are committed to a dedicated remediation branch and a pull request is created for review.

The pull request can then be reviewed, approved, and merged according to your organization's software development practices.

What happens during remediation

Secure Coder typically performs the following activities during the remediation workflow:
  • Clone the repository.
  • Review and generate a remediation plan.
  • Execute the remediation.
  • Validate the proposed changes.
  • Create a pull request.
Important:
  • Secure Coder in the browser currently supports remediation of package dependency vulnerabilities only.
  • Secure Coder might intermittently fail to update dependency lock files such as package-lock.json.
  • Review all generated changes before merging the pull request.
  • Update dependency lock files manually if required.