When it comes to automating version updates to remediate vulnerabilities, Sonatype appears to offer two conflicting solutions:
Is there a recommended approach? If not, what are others experiences with each approach? Is one easier to manage than the other? Why or why not? Does the build tool have any influence on this decision (ie npm, PyPi)?
Hey Jeff,
Automated Pull Requests and Policy Compliant Component Selection have fairly different functions. In terms of automating version updates, Automated Pull Requests can be used for Maven, npm, Gradle and Go. This feature will open a Pull Request (typically during continuous monitoring) when new risk enters the system and there is a version of a component available that removes this risk. We have a few capabilities on our roadmap to extend Automated Pull Requests including Golden PRs which will take in account breaking changes and other metadata about the version to ensure your update is seamless.
Policy Compliant Component Selection is a feature of our Next-Gen Firewall which allows the npm and PyPI clients to resolve non-quarantined versions of open source components. This allows the client to resolve dependencies when component versions are quarantined by Firewall.
In summary, for automating version updates to remediate vulnerabilities, we suggest leveraging Automated Pull Requests.
Cheers!