From 6b03deadfc9371b607801740e4da467d9f147706 Mon Sep 17 00:00:00 2001 From: Erin Havens Date: Wed, 13 Apr 2022 12:24:21 -0700 Subject: [PATCH] Update assessing-risk-dependabot-alerts.md This section is a great idea! I've rewritten it to emphasize a couple things: I really want to make sure we promote best security practices here, like keeping your dependencies up to date. I've adjusted this section to call out Dependabot updates, and also to emphasize more how developers can interact with Dependabot's vulnerable calls feature in order to assess risk and determine next steps. --- .../dependabot/assessing-risk-dependabot-alerts.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/data/reusables/dependabot/assessing-risk-dependabot-alerts.md b/data/reusables/dependabot/assessing-risk-dependabot-alerts.md index 52c87e5e64..e2b4a0ff0c 100644 --- a/data/reusables/dependabot/assessing-risk-dependabot-alerts.md +++ b/data/reusables/dependabot/assessing-risk-dependabot-alerts.md @@ -1,5 +1,7 @@ -When you discover you are using a vulnerable dependency, for example, a library or a framework, you must assess your project's level of exposure and determine what action to take. Vulnerabilities are usually reported with a severity score to show how severe their impact could be. The severity score is a useful guide but cannot tell you the full impact of the vulnerability on your code. +It’s important to ensure that all of your dependencies are clean of any security weaknesses. When Dependabot discovers vulnerabilities in your dependencies, you should assess your project’s level of exposure and determine what remediation steps to take to secure your application. -To assess the impact of a vulnerability on your code, you also need to consider how you use the library and determine how much risk that actually poses to your system. Maybe the vulnerability is part of a feature that you don't use, and you can update the affected library and continue with your normal release cycle. Or maybe your code is badly exposed to risk, and you need to update the affected library and ship an updated build right away. This decision depends on how you're using the library in your system, and is a decision that only you have the knowledge to make. \ No newline at end of file +If a patched version is available, you can generate a Dependabot pull request to update this dependency directly from a Dependabot alert. If you have Dependabot security updates enabled, the linked pull request will be shown in the Dependabot alert. + +In cases where a patched version is not available, or you can’t update to the secure version, Dependabot shares additional information to help you determine next steps. For example, you should consider how you’re using any impacted functions from the dependency, which are surfaced for supported languages in Dependabot alerts. This information can help you further assess your risk level, and determine workarounds or if you’re able to accept the risk represented by the security vulnerability.