Skip to main content
Skip table of contents

Mend issue states "Remediation Possible" but no Remediate pull request was created

When reviewing Dependency issues created by the Mend Repository integration, you will see a list of all vulnerabilities associated to the library and whether remediation is possible for the given vulnerabilities. In some situations, an Remediation PR cannot be generated even if Mend states that a remediation is available. This document will provide some examples of cases when Remediation is possible but no PR will be generated.

When will automatic Remediation be attempted

The presence of a green check box is controlled by whether there is a “Fixed in” value present. This does not take into account whether Remediate is able to make the update the not.

Automated Remediation will be attempted if the following conditions are met:

  1. Package is in one the supported Remediate languages.

    1. Go

    2. Java

    3. NPM

    4. Nuget

    5. PHP

    6. Python

  2. There is a minimum fix version available.

  3. Minimum fix version is a valid version number and has only one value.

  4. Minimum fix upgrades to the same package as the direct dependency.

  5. Remediate can find the package in the package manifest and can modify a version number.

For more information see: Mend Remediate and Renovate - What happens when Remediation is available

Examples where Remedation is possible but no pull request

Fixed In Version is a different dependency

In this issue, the Fixed in version is a different dependency than the dependency the issue was found in. This can happen because the dependency is potentially outdated, abandoned or never fixed. It is possible to remediate the vulnerability by using one of the listed packages, but Remediate is unable to make that update.

slowcheetah.png

Package Manifest does not contain a version

If the package manifest does not contain a version number such as inheriting from a parent/global package manifest, Remediate will not be able to generate a PR since there is no version number to modify.

springboot.png
springboot no version.png

Package is downloaded locally instead of being defined in a package manifest

Remediate is only able to make changes to a supported package manifest file. If the dependency is downloaded locally, Remediate will be unable to generate a PR for that depdendency.

File not in package manifest.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.