Advanced Vulnerability Management

Key Insight

Automated vulnerability remediation reduces time-to-patch for critical issues.

This guide covers complex vulnerability scenarios for the Scorecard Vulnerabilities check.

Prerequisites: Read Vulnerabilities check first for basics.

Handling Unfixable Vulnerabilities

Scenario: Vulnerability exists but no patch available yet.

Options:

Option 1: Wait for Patch

If vulnerability is low severity and doesn't affect your use case:

```markdown

Known Vulnerabilities

CVE-2024-1234 in dependency-name

• Severity: Low
• Status: Awaiting upstream patch
• Mitigation: Vulnerability requires physical access to server,

not exploitable in our deployment model

• Tracking: https://github.com/upstream/repo/issues/1234

```bash Document in repository README or security advisory.

Option 2: Pin to Last Good Version

```json { "dependencies": { "vulnerable-package": "1.2.3" }, "overrides": { "vulnerable-package": "1.2.3" } }

```bash Trade-off: May miss future security patches.

Option 3: Replace Dependency

Find alternative package without vulnerability:

```bash

Before

npm install vulnerable-package

After

npm uninstall vulnerable-package npm install secure-alternative

```bash Best for: When multiple alternatives exist.

Option 4: Vendor and Patch

For critical dependencies:

```bash

Fork upstream repository

gh repo fork upstream/vulnerable-package

Apply security patch

git checkout -b fix/cve-2024-1234

... make fixes ...

git commit -m "fix: CVE-2024-1234"

Use your fork

npm install github:yourorg/vulnerable-package#fix/cve-2024-1234

```bash Maintenance burden: You own the patches.

False Positives

Scenario: Scorecard flags vulnerability that doesn't affect your project.

Example 1: Vulnerability in Unused Code Path

```markdown

CVE-2024-5678 in crypto-library

This vulnerability affects the encrypt() function. Our project only uses the hash() function, making this CVE not applicable.

Mitigation: Code review confirms vulnerable code path is never executed. Tracking: Waiting for upstream patch to eliminate alert.

```bash

Example 2: Development Dependency Only

```json { "devDependencies": { "vulnerable-test-tool": "1.0.0" } }

```bash Reality: Development-only vulnerability doesn't affect production.

Scorecard limitation: May still flag it.

Mitigation: Document in README and accept lower score or fix anyway.

Vulnerability Disclosure for Your Project

If your project has a vulnerability:

Step 1: Create GitHub Security Advisory

```text Security tab → Advisories → New draft security advisory

```bash Step 2: Work on private patch

```bash

GitHub creates temporary private fork for you

git clone git checkout -b fix/vulnerability

... develop fix ...

git push

```bash Step 3: Request CVE (automatic through GitHub)

Step 4: Publish advisory and release patch

Step 5: Update SECURITY.md acknowledging reporter

Troubleshooting

Dependabot PRs not auto-merging

Check: Do you have branch protection requiring reviews?

Solution: Configure branch protection to allow Dependabot auto-merge:

```yaml

.github/workflows/dependabot-auto-merge.yml

name: Dependabot Auto-Merge

on: pull_request

permissions: contents: write pull-requests: write

jobs: auto-merge: if: github.actor == 'dependabot[bot]' runs-on: ubuntu-latest steps:

  - name: Auto-merge Dependabot PRs

    run: gh pr merge --auto --squash "$PR_URL"
    env:
      PR_URL: ${{ github.event.pull_request.html_url }}
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

```bash

Scorecard still shows vulnerabilities after fixing

Check: Did dependencies actually update?

```bash

Verify fix is in lockfile

npm ls vulnerable-package

```bash Scorecard scan lag: Can take 24 to 48 hours to reflect fixes.

Clear cache: Re-run Scorecard locally to verify fix:

```bash docker run -e GITHUB_TOKEN=$GITHUB_TOKEN gcr.io/openssf/scorecard:stable \ --repo=github.com/your-org/your-repo \ --checks=Vulnerabilities

```bash

Vulnerability in OS package, not application dependency

Scenario: Container base image has CVE.

Solution: Update base image:

```dockerfile

Before

FROM ubuntu:20.04

After

FROM ubuntu:24.04

```bash Or use minimal base images:

```dockerfile

Use distroless or alpine

FROM gcr.io/distroless/static-debian12

```bash

---

Related Content

Back to basics:

• Vulnerabilities Check - Core remediation guide

Other Security Practices checks:

• Security-Policy - Vulnerability disclosure process
• CII-Best-Practices - OpenSSF Best Practices Badge

---

Advanced vulnerability management handles edge cases: unfixable CVEs, false positives, and responsible disclosure.

Comments