Announcing Guided Remediation in OSV-Scanner

Posted by Michael Kedar on Apr 2, 2024

Addressing vulnerabilities in project dependencies can often be overwhelming for software developers. OSV-Scanner’s new Guided Remediation feature aims to simplify this process by prioritizing and fixing the vulnerabilities that matter most in your projects.

The tool is now available with the OSV-Scanner 1.7.0 release under the osv-scanner fix subcommand. Currently, it only supports npm package.json / package-lock.json dependencies, but we’re planning to expand support to more ecosystems in the future.

What can Guided Remediation do?

Guided Remediation scans your project’s manifest and lockfile, identifying vulnerable dependencies and suggesting upgrades that will resolve them. There are two different upgrade strategies to choose from:

  • In-place lockfile modification, which does targetted updates to vulnerable packages while still maintaining compatibility with the existing constraints in your dependency graph.
  • Relocking and relaxing requirements, to install the most up-to-date versions of your dependencies and upgrade your direct requirements to remove vulnerable packages from the dependency graph.

The tool prioritizes its suggested upgrades to maximize your return on investment for a given change, focusing first on upgrades that resolve the most vulnerabilities with the least amount of changed dependencies.

In conjunction with the different strategies, Guided Remediation also allows you to filter vulnerabilities based on metrics like CVSS severity, dependency depth, and whether they affect production or development dependencies. This allows you to control which vulnerabilities you wish to target.

Using Guided Remediation

For basic usage, you can attempt to resolve as many vulnerabilities as possible in your manifest/lockfile with one of the following commands:

osv-scanner fix --non-interactive --strategy=in-place -L path/to/package-lock.json
osv-scanner fix --non-interactive --strategy=relock -M path/to/package.json -L path/to/package-lock.json

For more complex scenarios, the interactive mode provides finer control over the remediation process.

osv-scanner fix -M path/to/package.json -L path/to/package-lock.json

The interactive guided remediation vulnerability results screen The interactive guided remediation in-place strategy screen The interactive guided remediation relock strategy screen

All filtering metrics found in the interactive mode are also available as CLI flags for the non-interactive mode, allowing you to integrate and automate guided remediation in your CI/test pipelines.

See our detailed documentation for more usage information.

Try it yourself!

If you have any npm projects with known vulnerabilities, try Guided Remediation today! It’s available in the latest OSV-Scanner release and we’d love to hear your feedback.