Hi, folks!
I wanted to take a second to share some best practices about component remediation. There’s lots to say, so this will be a three-parter! In this first post, we’ll talk about the best-case scenario. In the second post, we’ll share some best practices for more difficult remediation tasks. And in the third post, we’ll give you some tips for when remediation just doesn’t seem possible.
Once you’ve baselined your OSS risk with Sonatype Lifecycle, the natural question is “how do I remediate these violations?”
And that’s a good question – a perfect question, in fact. Scans, evaluations, and reports don’t have much value if you can’t do anything with them.
The overarching best practice for remediation is, if a component has a newer version that is free of policy violations, then upgrade to that version.
Yes, it sometimes is that simple! Remember, OSS maintainers don’t want vulnerabilities in their code any more than you. If they can fix a vulnerability, they usually do. And if they can fix it without major changes to the code, all the better. And this means that simple upgrade paths are fairly common across the OSS landscape.
Of course, it’s not always that easy. Dependency management is complex. Acknowledging that complexity is part of a good remediation strategy. That’s why another best practice for remediation is to prioritize violations that can be remediated with a simple upgrade. Leave difficult remediation tasks for later.
Why? Consider the 80/20 rule. Generally, 80% of the violations will require 20% of your time, and the remaining 20% of violations will take 80% of your time. You might be surprised how many violations you can remove by focusing on low-effort fixes. Think of it like this – if I told you I could solve 80% of your plumbing leaks in a day OR 20% of your leaks in a week, which would you prefer?
As a bonus, starting simple will build communication channels required for more complex fixes. Think of it like exercise; before you can lift big, you have to lift small!
Are you actively remediating? Still baselining? Regardless of where you are in your remediation journey, I want to hear about it, especially if you’ve had some quick wins that have reduced your risk footprint. Sound off in the comments below!
Resources:
Sonatype Lifecycle and Repository Firewall reference policy set