Upgrading software can be challenging for development teams. Endor Automatic Patching allows you to seamlessly fix security vulnerabilities during each software build, minimizing the effort required to maintain a secure codebase.
By enabling automatic patching with Endor Labs for every build, you can automatically address vulnerabilities in both direct and transitive dependencies. This approach helps prevent a growing backlog of security issues.
Enable Automatic Patching
To start using Endor Lab’s automatic patching, follow these steps:
1. Configure Endor Labs Patch Factory
Set Endor Labs Patch Factory as the top priority package repository in your package manager or Artifactory virtual repository.
For detailed instructions, refer to the following documentation:
- Learn how to connect to the Endor Labs Patch Factory.
- Learn how to configure JFrog Artifactory.
- Learn how to configure a Nexus repository.
2. Enable Auto Patching in Endor Labs
To enable auto patching in Endor Labs:
- Access Settings: Navigate to Manage > Settings in your Endor Labs tenant.
- Activate Auto Patching: click Enable Auto Patching.
- Save Configuration: click Save Patch Settings and acknowledge the warning regarding reproducible builds.
Note: Enabling or disabling auto patching may take up to ten minutes to take effect. During this period, changes to your patch settings might not be immediately applied.
Configure projects for automatic patching
After enabling automatic patching globally, you must activate it for individual projects to ensure findings are correctly updated.
Enable automatic patching on a project
To enable auto patching on one of your projects:
- Select Project: Go to Projects and choose the project or projects you want to enable for auto patching.
- Edit Project Tags: Click Edit Tags located on the top right side of the project list.
- Assign Patching Tag: Add the tag
use_streaming_patches=true
to the project. - Save Tags:: Click Save Tags to apply the changes.
- Rescan Project: Rescan the project to update the bill of materials and associate the findings with Endor Patches.
Note: If you do not set this tag, Endor Labs will continue to report vulnerabilities based on the upstream open-source packages without applying automatic patches.
Considerations for automatic patching
While automatic patching enhances security by promptly addressing vulnerabilities, it introduces some trade-offs:
Build Reproducibility: Automatically applied patches may alter the build process or the resulting binaries in unpredictable ways, potentially affecting build reproducibility.
Endor Labs strives to provide the minimal necessary security patches to ensure your software remains secure without introducing significant changes. With automatic patching enabled, new patches are applied automatically as they become available, reducing manual intervention and enhancing your security posture.