Skip to main content

Upgrade guidance

Know if you or your developers can safely and reliably update a vulnerable package or dependency to a fixed version. From there, choose to:

  • Have Semgrep open a pull request (PR)
  • Create a Jira ticket
  • Set the finding's triage status as To fix

Semgrep's dependency upgrade guidance uses Assistant to analyze if a finding can be safely upgraded or if upgrading the package can cause breaking changes. Semgrep can also create a PR to upgrade the package.

Feature maturity

This feature is in private beta. To join the beta, reach out to the Semgrep support team.

Supported languages and package managers

  • Python codebases with the following package managers:
    • pip
    • pip-tools
    • pipenv
    • Poetry
  • GitHub Cloud and GitHub Enterprise Server (self-hosted)
    • This includes projects added to Semgrep through Semgrep Managed Scans

Prerequisites

Grant Read and write access to a private GitHub Semgrep app

To change your Semgrep app's permission:

  1. Navigate to the settings page of your private Semgrep GitHub app; refer to Changing the permissions of a GitHub app for instructions.
  2. In the Repository permissions section, search for Contents.
  3. Click the drop-down menu and select Read and write.

How it works

After enabling dependency guidance, Semgrep performs post-scan analysis and marks applicable findings as Safe to upgrade or with Breaking changes.

  • This analysis is performed every two hours on the latest full scan.
  • Only findings whose dependencies have fixed versions that resolve the vulnerability are marked by Semgrep as Safe to upgrade or with Breaking changes.
  • Findings without any fixed versions have no badge; instead they say no patch available. Finding with no fixed version available Figure. Details page for a finding that has no available fix.

The following chart shows the steps Semgrep performs from scanning to analysis and the actions you can take based on the advice it shows.

Flowchart explaining how Semgrep provides upgrade guidance and possible actions to take based on its advice.

Review a finding's upgrade guidance

To view detailed information about a finding:

  1. Within Semgrep AppSec Platform, navigate to the Supply Chain page. By default this page loads the Vulnerabilities tab.
  2. Locate the finding you want to review, then click Details.

The details page is divided into several panels:

  • General information:
    • The name of the package and a description of the finding
    • Its reachability, whether it is direct or transitive, its CVE number, EPSS, and severity
    • Its remediation version, if any
    • Links to references
    • A badge indicating if it can cause breaking changes or not (beta)
  • Branch and finding history information
    • Which branches it can be found
    • Where it was first detected
    • AI analysis performed, if any
  • Graphs and code:
    • Your code: the source file in which a match was detected; the highlight indicates where the match was found
    • Dependency path: displays the path of dependencies; useful when analyzing transitive dependencies
    • Pattern and Rule: the pattern and rule logic that determined the match

SSC details that provide upgrade guidance. Figure. Useful details that provide upgrade guidance.

A - Upgrade badge
Indicates if an upgrade is safe or may break your codebase.
B - The line of code (LOC) of the finding
This shows the LOC that caused the finding; this does not show the LOC where the breaking changes occur.
C - Link to change list drawer
Click this link to display the LOC where a breaking change may occur.
D - Open fix PR button
Click this button to open a PR with the code to upgrade the dependency to a safe version, if any.

Drawer showing all lines of code that must be changed Figure. Drawer showing all the lines of code that must be changed or are safe.

Create a pull request with fixes

  1. Navigate to the Details page of the finding for which you want to make a pull request.
  2. Click Fix > Open fix PR.

A pull request includes:

  • The manifest or lockfile changes necessary to upgrade the dependency
  • The context necessary for developers to fix potentially breaking changes

The following context is included in the pull request description:

  • Summary
    • Severity and reachability of the finding
    • The specific version of the dependency that the PR upgrades to
  • Vulnerability details
    • A description of the vulnerability and links to its CVE references
  • Upgrade guidance
    • All the pieces of code, typically functions, which make use of the dependency
    • Unchanged (safe) pieces of code
    • Potentially breaking pieces of code
  • Dependency references
    • Release notes, changelogs, and commits of the dependency which may be useful to resolve the breaking changes

PR comment with upgrade guidance Figure. PR comment with upgrade guidance.

Troubleshooting

The feature has been enabled, but you don't see any analysis

If you can't see any Breaking changes or Safe to upgrade badges or findings, this may be due to the following reasons:

  • Your language or package ecosystem isn't supported
  • Your source code manager isn't supported
  • Your you have not set Read and write access for the Contents permission; see Grant read and write access
  • Your findings don't have safe versions to upgrade to yet
  • You have no findings within the supported scope of this feature

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.