Safe versions

How the suggested safe versions mechanism work

When one or more vulnerabilities are identified in a certain version of a component, Meterian will automatically suggest you a list of "safe versions" to use. These appears in the project report, in a box positioned on the right of the component card, like in this example.

Here we can see that this component, "image", is affected by one vulnerability in its current version, "0.23.11". The "Safe versions" box indicates which versions are considered "safe" for Meterian, and in this specific case those are 0.23.14 (a patch update) and 0.24.6 (a minor update).

Meterian infact "knows" about all versions of the component, and the vulnerabilities associated to each of them, as can be seen opening the correspondiing link to Componentpedia, Meterian's libraries of components:

If we go back to the report, however, we notice that that particular vulnerability is declared to be fixed in version 0.23.12: why Meterian is suggesting version 0.23.14? This happens because, if there's a later patch which is safe and possibly fixes bugs, that will be the one suggested. This will improve the stability of your project. Given a semantic portion of the version (patch, minor, major) Meterian will always suggest the latest possible safe option.

For this same reason, when multiple vulnerabilities are affecting a component, Meterian will compute the safest version possible, like in this example;

Sometimes it's impossible to automatically find a safe version. For example, in this case, a vulnerability declares that a certain version of a component fixes it: however such version is actually not present in any public repository! Version 4.3.1 of System.IO.Compression.ZipFile was unfortunately never published on the .NET repository

Sometimes a safe, not vulnerable version is simple not available: in that situation you will want to consider alternative actions to resolve the issue, for example looking at mitigation factors or replacing the component altogether.

Last updated