Lifecycle Best Practices: Remediation Tips, part 3

Hi, folks!

Ready to talk more about remediation? This is part three in a series. In the first post, we talked about the best-case remediation scenario. In the last post, we covered best practices for trickier remediations. And in this post, I’ll give you some best practices for when remediation just doesn’t seem possible.

The reality of developing software is that, sometimes, violations can’t be remediated. That’s true for all violation types – security, legal, and quality. Don’t blame your developers; even good drivers sometimes get a flat tire.

But when it happens, the best practice is to document why the violation can’t be remediated. Talk to your developers or engineers and ask. Usually, the response will fall into one of four categories.

  • They need development time/budget they don’t have.

  • They need expertise or knowledge they don’t have.

  • They need the component’s maintainers to take action.

  • They need specific functionality that’s inextricable from the violation.

That’s a best practice that I follow in all my personal projects. As a hobbyist and rank amateur developer, I’m constantly finding violations that I can’t fix. But because I document my reason for letting violations go, I can easily revisit and review as my skill improves.

Regardless, as a best practice, if a violation can’t be remediated, give it a waiver with a long duration. Remember, reports should be a list of actionable threats at a given point-in-time. Threats that aren’t actionable are noise. Remove them from reports and review them separately.

And that brings us to our last best practice. Turn on Waived Component Upgrades. This functionality alerts you when a waived component has a violation that can be remediated with a version upgrade. Check the third bullet point above; if a maintainer takes action and patches a vulnerability, you want to be aware!

Thanks for sticking with us! Do you have Waived Component Upgrades turned on? Any advice for new customers, or have a question for us here at Sonatype? Regardless, I want to hear about it! Sound off in the comments below.

And for other resources, head to


Remediation Best Practices

Waived Component Upgrades

Component Remediation in Lifecycle interactive course