Skip to main content
Skip table of contents

Automatic Remediation Pull Requests are not created

Introduction

Automatic Remediation Pull Requests (PRs) are created when a vulnerability is discovered in a repository that can be fixed by upgrading the version of the dependency. These are created by Remediate/Renovate and can be blocked with certain settings. Here are some important settings to check to make sure your PRs are getting created.

Settings to Check

Workflow Rules (Legacy Mend UI only)

In the event that you do not have workflow rules configured in the Integration settings, the Legacy Mend UI has the ability to set the workflow rules from inside of the UI. To get to these, have a Mend Administrator in your organization navigate to: Admin Integration Workflow Rules under Integration, If you do have a workflow rule set up in this area, it is advised to remove them and set them in the Repository Configuration.

NOTE: Workflow Rules in the Legacy Mend UI get overridden by the "workflowRules" section in any .whitesource or repo-config.json file.

Workflow Rules (Configuration File)

Another setting to check when troubleshooting Fix Pull Requests is the workflow rules in either your .whitesource or repo-config.json files. As a rule, any settings in a .whitesource file automatically override any settings in a repo-config.json file. Naturally, a user should check the .whitesource file in question to make sure there are no settings that would prevent a Fix Pull Request. Here is what the settings should look like:

JSON
{
  "remediateSettings": {
    "workflowRules": {
      "enabled": true
      "minVulnerabilitySeverity": "LOW"
    }
  }
}

The “minVulnerabilitySeverity" setting is optional, and by default is set to LOW. This can be changed to only provide Fix Pull Requests for higher severities. However, this will mean that lower severities will NOT get PRs created.

If this setting is not present in the .whitesource file, then make sure that it is in your repo-config.json if one is present. If this setting is not present in either, then it should be added.

Renovate Settings

Make sure any renovate settings in your .whitesource, repo-config.json, or renovate.json files are correct and proper. If improper Renovate settings are specified, then it could cause Renovate to not run properly. Check https://docs.renovatebot.com as well as Common Renovate Configurations for more information.

Remediate and Renovate Conflicts

If both Renovate and Remediate are enabled, then certain settings (i.e. Smart Merge Control) can create conflicts between the two, and create a situation where no PRs are created. In this instance it is best to remove one of these settings and continue to troubleshoot until the conflict is identified properly.

Host Rule Implementation

Make sure that your host rules in your configuration files are correct, and can authenticate to your private registry properly. Refer to our Host Rule Implementation guides to double-check your implementation. Host Rules specifically for Renovate can be configured by putting them in the “remediateSettings" section of your .whitesource or repo-config.json section. If this is set, then these will not be considered during an SCA scan.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.