Spike: How might we leverage Vulnerability Resolution as a solution to auto-remediation

Problem to solve

groupcomposition analysis needs to support auto-remediation of vulnerable dependencies.

Vulnerability fatigue is a common piece of feedback that we receive from users. Our AppSec persona struggles to handle the influx of scan findings, while simultaneously ensuring that development teams are actively mitigating the vulnerabilities identified by scans. Allowing a MR to be generated without human intervention will reduce their workload and lead to better outcomes for the security of their projects.

Currently there are two potential paths to implementing auto-remediation for our users:

1. Leverage IP from the acquisition of Rezilion (epic) or;
2. Augment Vulnerability Resolution to meet the needs of Composition Analysis users

For option 1 above, we should not take this into consideration in this spike. Instead we should focus on option 2 to understand how technically feasible this is.

Questions to answer

2. Do we need a different LLM / prompt?
3. We may look at lock files as a source of information, but we may only be able to bump versions in non-lock files. Could we overcome this?
4. If we need to upgrade lock files what is the expected complexity of this? Of particular interest is whether or not we would have to contend with hashes associated with dependencies?
5. What changes to the LLM are necessary to focus on third-party dependencies, instead of first-party code? The latter is the current focus of Vulnerability Resolution.