Upgrading vulnerable packages

Edit online

You can upgrade vulnerable open source dependencies directly from Concert Secure Coder after running a Software Composition Analysis (SCA) scan.

When an SCA scan identifies vulnerable packages, Concert Secure Coder can recommend non-vulnerable package versions. You can review the recommendations and apply upgrades directly from the scan results.

Before you begin

Ensure that:
  • Concert Secure Coder is installed and authenticated.
  • Software Composition Analysis (SCA) scanning is enabled for your organization.
  • You completed an SCA scan that identified vulnerable packages.
Note: SCA scanning is available only when Software Composition Analysis (SCA) capabilities are enabled for your organization.

Upgrading an individual package

  1. In the Concert Secure Coder panel, click Workspace scans.
  2. Run a Software Composition Analysis (SCA) scan.
  3. Review the scan results.

    Vulnerable packages are displayed with their current version and recommended upgrade version.

  4. Locate the package that you want to upgrade.
  5. If an upgrade is available, click Apply upgrade.

    Concert Secure Coder updates the package dependency to the recommended version.

  6. Review the proposed dependency changes.
  7. Save the updated dependency files.
  8. Rebuild your application if required.
  9. Run the SCA scan again to verify that the vulnerability is no longer reported.

Upgrade multiple packages

If multiple packages can be upgraded, Concert Secure Coder might provide an Upgrade vulnerable packages view that consolidates available package upgrades.
  1. Open the Upgrade vulnerable packages view.
  2. Review the packages that have recommended upgrades.
  3. Select the packages that you want to upgrade.
  4. Apply the upgrades.
  5. Review and validate the updated dependencies.
  6. Run another SCA scan to confirm that the vulnerabilities are resolved.
Note: Automatic package upgrades are currently supported only for projects that use NPM (Node Package Manager) to manage dependencies.

Important considerations

  • Review all dependency changes before committing them to source control.
  • Test your application after upgrading dependencies.
  • Some dependency upgrades can introduce compatibility changes that require additional validation.
  • If a recommended upgrade is not available, review the package documentation and update the dependency manually.

Next steps

After upgrading vulnerable packages, rerun SCA scans and validate application functionality to confirm that the vulnerabilities have been resolved.