Skip to main content
Skip table of contents

Proactive Remediation vs. Reactive Remediation

Proactive Remediation (Renovate)

Many of a repositories vulnerabilities in dependencies can be easily resolved by keeping them up to date. Renovate will help you proactively fix these vulnerabilities by keeping these packages up to date, rather than waiting for a vulnerability to be introduced.

About Renovate

At its core, Renovate is a simple tool that finds dependencies in a repository, looks them up in a public registry, and then determines if there are any newer versions to update to, suggesting Pull Requests where applicable. Due to the vast differences between package managers, versioning, and more, there is a very large number of configurations that can be used to make sure Renovate works how you need it to. More information on configuring Renovate can be found at the Renovate Documentation Website.

Pros

Cons

Being on the latest version ensures you have the latest security patches before a vulnerability can
get published to the NVD or other Vulnerability Indexes

Large changes in versions are more likely to introduce breaking changes to your pipeline

If Renovate has the proper permissions, then automatic dependency updates without Pull Requests are possible

Has the ability to update internal dependencies from a private registry as well as public dependencies with the use of host rules.

Can help reduce overall tech debt in a repository

Example Renovate Configuration

Here is an example of a .whitesource file for a Mend Repository Integration that has Renovate enabled.

JSON 
{
  "scanSettings": {
    ...
  },
  "checkRunSettings": {
    ...
  },
  "remediateSettings": {
    "enableRenovate": true,
    "workflowRules": {
      "enabled": false,
    },
    // Any Renovate-specific configurations here.
  }
}

Reactive Remediation (Mend Remediate)

Reactive Remediation is the process of updating dependencies after vulnerabilities have been reported for that library. Mend Remediate uses the results from SCA scans to determine which packages need to be updated in order to fix vulnerabilities. This allows security teams to focus directly on vulnerabilities when crucial, as opposed to updating all dependencies inside the project.

About Mend Remediate

Remediate is an add-on built into Renovate for Mend Repository integrations, that takes the dependencies from an SCA scan, and looks up fix versions for each CVE. From there, Pull requests are created in the same manner as Renovate.

Pros

Cons

Is less likely to introduce breaking changes

Not as efficient as Renovate in reducing tech debt

Allows users to prioritize higher severity vulnerabilities as opposed to keeping all dependencies up to date

Only helps fixing vulnerabilities in Open Source Dependencies and does not resolve internally-developed libraries

Has the ability to detect vulnerabilities in packages downloaded from a private registry with the use of host rules as long as those dependencies match what is in public registries

Only suggests a pull request to the version that fixes the current vulnerability, which could inevitably end up introducing a new one

Example Mend Remediate Configuration

Here is an example of a .whitesource file for a Mend Repository Integration that has Mend Remediate enabled with recommended settings.

JSON 
{
  "scanSettings": {
    ...
  },
  "checkRunSettings": {
    ...
  },
  "remediateSettings": {
    "workflowRules": {
      "enabled": true
    }
  }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close