Currently, this feature is available for JavaScript, Java, Go, and NuGet. More languages are coming soon.
Root fixes contain the first next version of the direct dependency in the dependency tree that does not contain a vulnerable version of the affected dependency. In simpler terms, a Root fix is a solution to a dependency vulnerability that starts at the root of the dependency tree.
By addressing the root cause of the vulnerability, Root fixes ensure that the entire dependency tree is updated, using the version constraints set up by its dependencies. This way of updating dependencies is generally preferred over updating the vulnerable dependency directly, as it has a much lower risk of errors and breaking changes. It also eliminates the need for manually researching the required direct dependency update, saving developers valuable time.
To solve a vulnerability using the Root fix:
-
Click on Repositories in the left side menu, and select on your project. Here you can see a list with all the CVEs found.
-
Click on one CVE to open the vulnerability page
-
Go to the Introduced through section and select the dependency file to analyze. In some cases, our scan can find more than one dependency file within your project. You can see in green which is the closest secure version of the root package to update.
If the Introduced through section shows an unknown, it is because we were unable to find a secure version to solve the vulnerability
-
Before updating the package, keep in mind some packages might introduce breaking changes. To see if there is any risk, check the Breaking Changes section of the package's readme file
-
Update the package via the package manager (in this example, using npm: npm update hbs >= 4.1.1 )
-
Commit and push the updates
Once the scanning is completed, the repository should no longer have this vulnerability.
Solve a vulnerability using the Root fix - video guide