Mend issue states "Remediation Possible" but no Remediate pull request was created
When reviewing Dependency issues created by the Mend Repository integration, you will see a list of all vulnerabilities associated to the library and whether remediation is possible for the given vulnerabilities. In some situations, an Remediation PR cannot be generated even if Mend states that a remediation is available. This document will provide some examples of cases when Remediation is possible but no PR will be generated.
When will automatic Remediation be attempted
The presence of a green check box is controlled by whether there is a “Fixed in” value present. This does not take into account whether Remediate is able to make the update the not.
Automated Remediation will be attempted if the following conditions are met:
Package is in one the supported Remediate languages.
Go
Java
NPM
Nuget
PHP
Python
There is a minimum fix version available.
Minimum fix version is a valid version number and has only one value.
Minimum fix upgrades to the same package as the direct dependency.
Remediate can find the package in the package manifest and can modify a version number.
For more information see: Mend Remediate and Renovate - What happens when Remediation is available
Examples where Remedation is possible but no pull request
Fixed In Version is a different dependency
In this issue, the Fixed in version is a different dependency than the dependency the issue was found in. This can happen because the dependency is potentially outdated, abandoned or never fixed. It is possible to remediate the vulnerability by using one of the listed packages, but Remediate is unable to make that update.
Package Manifest does not contain a version
If the package manifest does not contain a version number such as inheriting from a parent/global package manifest, Remediate will not be able to generate a PR since there is no version number to modify.
Package is downloaded locally instead of being defined in a package manifest
Remediate is only able to make changes to a supported package manifest file. If the dependency is downloaded locally, Remediate will be unable to generate a PR for that depdendency.