Skills
skills/bitsoex/bitso-java/dependabot-security

dependabot-security

SKILL.md

Dependabot Security

Fix Dependabot security vulnerabilities in Java/Gradle projects with proper verification.

When to use this skill

  • Resolving Dependabot security alerts
  • Fixing CVE vulnerabilities in dependencies
  • Verifying dependency graph for CI compliance
  • Choosing the right fix strategy for transitive dependencies
  • Understanding why dependency-review CI check fails
  • When asked to "fix dependabot vulnerabilities" or "fix security alerts"

Skill Contents

Sections

Available Resources

📚 references/ - Detailed documentation

Quick Start

1. Create Jira ticket first

See global/rules/jira-ticket-workflow.md for ticket creation.

2. Get alerts by severity

REPO=$(gh repo view --json nameWithOwner -q '.nameWithOwner')
gh api --paginate repos/$REPO/dependabot/alerts --jq '.[] | select(.state == "open") | {
  number, severity: .security_advisory.severity, package: .dependency.package.name,
  patched_version: .security_vulnerability.first_patched_version.identifier,
  cve: .security_advisory.cve_id
}'

3. Fix by severity (CRITICAL first, then HIGH, MEDIUM, LOW)

See references/fix-strategies.md for strategy hierarchy.

4. Verify with dependency graph

./gradlew -I gradle/dependency-graph-init.gradle \
    --dependency-verification=off \
    :ForceDependencyResolutionPlugin_resolveAllDependencies

# Check ONLY patched versions appear
grep -i "package-name" build/reports/dependency-graph-snapshots/dependency-list.txt

5. Commit and create PR

git commit -m "🤖 🛡️ fix(security): [JIRA-KEY] resolve CRITICAL vulnerabilities"

Key Concepts

Severity-Based Processing

Process ONE severity level at a time, creating separate PRs for each:

Priority Severity When to Process
1 CRITICAL Always first
2 HIGH After no CRITICAL
3 MEDIUM After no HIGH
4 LOW After no MEDIUM

Dependency Graph vs Runtime Resolution

The dependency graph plugin reports ALL versions to GitHub, not just the resolved version. Force rules alone won't fix dependency-review failures - use substitution to remove old versions.

Fix Strategy Hierarchy

  1. BOM Update - Update Spring Boot, gRPC, Protobuf BOM versions
  2. Version Catalog - Update direct dependencies in libs.versions.toml
  3. Dependency Substitution - Replace transitive dependencies
  4. Constraints - Set minimum version floors
  5. Force Rules - Quick fix (combine with substitution)
  6. Exclude + Add - Last resort

References

Reference Description
references/fix-strategies.md Detailed fix strategies with examples
references/severity-processing.md Severity-based workflow
references/dependency-graph.md Dependency graph plugin setup and verification
references/troubleshooting.md Common issues and solutions

Related Rules

  • .cursor/rules/java-vulnerability-golden-paths.mdc - Proven fix patterns for common CVEs
  • .cursor/rules/java-versions-and-dependencies.mdc - Version management policies

Related Skills

Skill Purpose
gradle-standards Gradle configuration
sonarqube-integration Code quality checks
Weekly Installs
8
Repository
bitsoex/bitso-java
GitHub Stars
36
First Seen
Jan 24, 2026
Installed on
claude-code6
opencode5
antigravity5
windsurf5
codex5
gemini-cli5