Fix issues and vulnerabilities

Fix code health issues and security vulnerabilities identified by DeepSource using both manual fixes and automated remediation options.

Fixing Code Health Issues

When addressing code health issues flagged in the DeepSource dashboard, you have two options. The first approach involves manually fixing the issues, while the second method involves Autofix™ — our auto remediation engine.

Manual Fix

If you choose to manually fix the issues, you can follow these steps:

1. Open any issue from the Issues tab and examine the occurrences of the issue. You can identify where the issue exists in the codebase and read the issue description to gain a full understanding of what needs to be fixed and the code changes that are required to address the problem.

2. Referring to the contextual code can provide you with a better understanding of the issue. Manually make the necessary edits in your code and push a commit.
3. DeepSource will automatically analyze every pull-request and new commits on all new and existing pull-requests.
4. Once the checks finish, you will see checks that have passed and some that have failed. If a check passes, it means that the DeepSource Analyzer did not find any issues in the changes made in the PR. If a check fails, it means that there are issues that need to be addressed.
5. You can click on the 'details' view to gain more context on the failing checks and learn how to address the issue effectively.

Autofix

Autofix is DeepSource's auto-remediation engine. Issues that support Autofix show an Autofix button on both the issue list and the issue detail page.

Click the Autofix button to generate fixes for all occurrences of that issue. Once the fixes are ready, review the proposed changes in the Autofix session:

• Create pull request — when Autofix is triggered from a default-branch analysis, the fixes are submitted as a new PR
• Commit to pull request — when triggered from an existing PR's analysis, the fixes are committed directly onto that PR's branch

Fixing Security Vulnerabilities

When DeepSource identifies security vulnerabilities in your project dependencies, you can remediate them using either Autofix (when available) or manual fixes.

Vulnerability Details

Before attempting to fix a vulnerability, it's important to understand its details. DeepSource provides comprehensive information about each vulnerability:

• Vulnerability Title and CVE: Displays the full name and unique CVE identifier
• Affected Package: Shows which package contains the vulnerability and its version
• Severity Metrics: Multiple scoring systems (CVSS V3/V4/V2) to help assess severity
• EPSS Score: Shows likelihood of exploitation percentage
• Reachability Status: Indicates whether vulnerable code is called by your application
• Dynamic Risk Score: DeepSource's custom metric combining CVSS, EPSS, and reachability analysis

Using Autofix for Vulnerabilities

When available, Autofix provides the fastest way to remediate vulnerabilities in your dependencies:

The Autofix interface shows:

• Package Upgrade Information: The vulnerable package version and target fixed version
• Risk Assessment:
  • Version risk indicator
  • Dependency type risk
  • Compatibility risk
  • Update classification (Minor update, Updates direct dependencies, Possibly breaking update)
• AI Overview: Information about the fix, including a summary of changes and breakage risk score

Click Apply fix with pull request to create a PR with the changes.

Manual Vulnerability Remediation

When Autofix isn't available for a vulnerability, you'll need to manually upgrade your dependencies:

The manual fix view provides:

• Package Information: Identifies the vulnerable package and version
• Upgrade Options: Presents multiple potential upgrade paths:
  • Option 1: Upgrade to a newer version in the same major version line
  • Option 2: Consider alternative versions that may involve more significant changes

After identifying the appropriate upgrade path, manually update your dependency manifest file and run your package manager's update command to apply the changes.

Understanding Reachability

To help prioritize vulnerability fixes, DeepSource provides reachable call graphs for many vulnerabilities:

This section shows:

• Function Trace: The call chain from your application code to the vulnerable dependency
• Code Context: Relevant source code with line numbers and syntax highlighting
• Vulnerability Location: Exactly where the vulnerable code is being called

This information helps you understand how a vulnerability could be exploited in your specific application context, making remediation efforts more targeted and effective.