Automatic Remediation Pull Requests are not created
Introduction
Automatic Remediation Pull Requests (PRs) are created when a vulnerability is discovered in a repository that can be fixed by upgrading the version of the dependency. These are created by Remediate/Renovate and can be blocked with certain settings. Here are some important settings to check to make sure your PRs are getting created.
Settings to Check
Workflow Rules (Legacy Mend UI only)
In the event that you do not have workflow rules configured in the Integration settings, the Legacy Mend UI has the ability to set the workflow rules from inside of the UI. To get to these, have a Mend Administrator in your organization navigate to: Admin → Integration Workflow Rules under Integration, If you do have a workflow rule set up in this area, it is advised to remove them and set them in the Repository Configuration.
NOTE: Workflow Rules in the Legacy Mend UI get overridden by the "workflowRules"
section in any .whitesource
or repo-config.json
file.
Workflow Rules (Configuration File)
Another setting to check when troubleshooting Fix Pull Requests is the workflow rules in either your .whitesource
or repo-config.json
files. As a rule, any settings in a .whitesource
file automatically override any settings in a repo-config.json
file. Naturally, a user should check the .whitesource
file in question to make sure there are no settings that would prevent a Fix Pull Request. Here is what the settings should look like:
{
"remediateSettings": {
"workflowRules": {
"enabled": true
"minVulnerabilitySeverity": "LOW"
}
}
}
The “minVulnerabilitySeverity"
setting is optional, and by default is set to LOW
. This can be changed to only provide Fix Pull Requests for higher severities. However, this will mean that lower severities will NOT get PRs created.
If this setting is not present in the .whitesource
file, then make sure that it is in your repo-config.json
if one is present. If this setting is not present in either, then it should be added.
Renovate Settings
Make sure any renovate settings in your .whitesource
, repo-config.json
, or renovate.json
files are correct and proper. If improper Renovate settings are specified, then it could cause Renovate to not run properly. Check https://docs.renovatebot.com as well as Common Renovate Configurations for more information.
Remediate and Renovate Conflicts
If both Renovate and Remediate are enabled, then certain settings (i.e. Smart Merge Control) can create conflicts between the two, and create a situation where no PRs are created. In this instance it is best to remove one of these settings and continue to troubleshoot until the conflict is identified properly.
Host Rule Implementation
Make sure that your host rules in your configuration files are correct, and can authenticate to your private registry properly. Refer to our Host Rule Implementation guides to double-check your implementation. Host Rules specifically for Renovate can be configured by putting them in the “remediateSettings"
section of your .whitesource
or repo-config.json
section. If this is set, then these will not be considered during an SCA scan.