Skip to main content
Skip table of contents

Package Health in Mend SCA

Overview

The Package Health section under the Recommended Fix tab of a package in Mend SCA allows you to gain additional insight into the optimal upgrade path for your vulnerable package, for minimizing risk.

In some cases, upgrading to the latest version of a package is not necessarily the optimal mitigation plan, for example because the latest version might expose you to new risks or it might be considered less stable than some older versions.

For this reason, Mend.io allows you to plan your mitigation by employing the Least Vulnerable Package approach. The Package Health feature completes this approach, by providing additional information on package versions you can consider upgrading to in your mitigation plan.

image-20240627-082338.png

Mend.io’s recommendation is to upgrade to version 1.19.2 even though the latest version is 1.19.4

Getting it done

Mend Platform UI

The Package Health section displays the following badges on the package version:

  • Age: The age of the package

  • Adoption: The percentage of this package's users which are using this release

  • Passing: The percentage of updates which have passing tests for this package

  • Confidence: The confidence level for this update

image-20240607-161348.png

On top of that, Mend SCA will also display the Risk Reduction table, which will help you further in deciding whether to upgrade to a certain version, based on overall Risk Change as well as severity-based risk avoidance.

The package health indicators are designed to help you ensure you upgrade a vulnerable library to a stable version. By utilizing these indicators, you can confirm that the selected version is reliable. Versions that are old, have low adoption or passing percentages, and low confidence scores should be avoided.

At this point, you can create a Jira ticket which will include the recommended fix. Kindly note that this is applicable to root packages only.

image-20240801-133037.png

Creating a Jira can be done by clicking the ‘Create Issue’ button at the bottom-right corner of the finding details screen:

image-20240801-124121.png

Repository Integrations

The Package Health information is available in the Repository Integrations, for customers employing Renovate, and is known as “Merge Confidence”.

For additional information about that feature, kindly refer to this article.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close