How to Enable Renovate for Mend Repository Integrations
This article explains what Renovate does, how to enable it, and how to configure it for your Mend for Developers integrations.
What does Renovate do?
Renovate is a proactive tool that monitors your dependencies (vulnerable or otherwise) and creates a pull request when a new version is available. It does not scan your project for vulnerabilities or licenses but instead, monitors the version and opens pull requests to update your outdated dependencies.
How do I enable Renovate?
Renovate supports a range of different filenames for configuration. However, for Mend Remediate (WS-4-Devs) integration, only the .whitesource configuration file is used. Renovate is disabled by default and can be enabled by setting remediateSettings.enableRenovate = true like so:
{
"remediateSettings": {
"enableRenovate": true
}
}How do I configure Renovate?
Renovate is configured is by adding configuration settings to the remediateSettings section of the whitesource file (as seen above). If you have a renovate.json file, you can simply copy its settings and paste them into the remediateSettings section. After that, you may remove the renovate.json file.
You can find all of the Renovate configuration options on Renovate’s documentation site.
Frequently asked questions:
What is the difference between Renovate and Remediate?
Renovate creates a pull request for outdated libraries (regardless of vulnerabilities). Remediate creates a pull request only for direct dependencies with vulnerabilities.
Does my Mend scan settings impact Renovate?
When you enable Renovate it will check all of your libraries on a schedule (specified by you in the configuration) and will open pull requests to update any outdated libraries. This will occur regardless of whether the outdated library is vulnerable or not.
Remediate will only create pull requests for vulnerable libraries. Therefore, even though neither Renovate or Remediate directly look at your Mend scan configuration (whitesource.config), Remediate is impacted by the configuration since it creates pull requests based on the vulnerabilities the Mend scan identifies. If your Mend scans exclude scanning Gradle packages, for example, no vulnerabilities associated with dependencies included in your project via a build.gradle file will be found. Therefore, Remediate will not open pull requests for any dependencies included in your build.gradle file.
The configuration in your .whitesource file will impact the Renovate and Remediate processes, however, these configurations are included in the Remediate block and therefore don't affect your Mend scan.
Additional Resources:
You can find more information about Renovate in the following documents: