Resolve Reported Vulnerabilities Automatically

After the Dependency Vulnerability Analysis (DVA) report for the Maven, Node.js, Javascript, or Gradle application has been generated, review the report to identify the vulnerabilities in the flagged files, and click the Resolve button to resolve them.

The Resolve button simplifies and automates the process for resolving vulnerabilities found in the direct as well as transitive dependencies of the application's build file. The Resolve button isn't available in the DVA reports of older builds of the job. It is only available in the latest build of the job. The Resolve button is also disabled if a package.json file in a Node.js or Javascript application has vulnerabilities in transitive dependencies only. Transitive dependencies in Node.js and Javascript applications must be resolved manually, by editing the direct dependencies in the package.json file and rerunning the analyzer.

Click the Resolve button to resolve any direct and transitive dependencies that were found:

1. In the Report section of the vulnerability analysis report, expand the affected build file (POM is shown):
   
2. Click Resolve.

   If a merge request exists, you can cancel the dialog and use it or continue to create another merge request.

3. In the Resolve Vulnerability dialog box, review the reported vulnerabilities.
4. If an issue was created when the report was generated, its ID is displayed. If no issue was created, select the Create issue to track this resolution check box to create it.

   In Linked Builds, add an existing build to link it to the merge request.

   In Reviewers, add team members to review the merge request:

   
5. For each vulnerability, in Available Versions, select a version of the direct dependency or dependency with transitive dependencies that doesn't have the reported vulnerability.

   If you don't want to resolve the dependency or no versions are available, select Do Not Resolve.

6. Click Create New Merge Request.

   When you click the button, VB Studio does the following:

   1. Creates a merge request with details about the vulnerabilities found.
   2. Creates a branch with the job's Git repository branch as the base branch, and then sets it as the review branch of the merge request.
   3. Sets the job's Git repository branch as the target branch of the merge request.
   4. Updates the review branch's application build file to use the specified versions of the dependencies.

   For example, if the job that generated the vulnerability report uses the JavaMavenApp Git repository and its release1.1 branch, then a new branch is created in JavaMavenApp using release1.1 as the base branch and is used as the review branch of the merge request. The release1.1 branch is used as the target branch.

   If a merge request with same review and target branches was created in an older build of the job, VB Studio uses the same merge request to merge the application build file updates.

7. Click the merge request link to open it in another tab or window of the browser, and click OK.
8. In the Merge Request, review the details of the vulnerabilities in the Conversation tab and the application build file changes (POM is shown) in the Changed Files tab:
   
9. If you've invited other reviewers, wait for their feedback.
10. If you've linked a build job to the merge request, in the Linked Builds tab, run a build and verify its stability.
11. When you're ready to merge the application build file updates, click Merge.
12. In the Merge dialog box, to delete the review branch, select the Delete branch check box. To resolve linked issues, select the Resolve linked issues check box and the check boxes of issues you want to resolve.
13. Click Create a merge request.
14. Run a build of the job that reported dependency vulnerabilities and verify that the application build file's update has fixed the vulnerability.

    If a vulnerability is still found, repeat the preceding steps to create another merge request after selecting a different dependency version.