Overview

Dependabot is GitHub's automated dependency update tool that helps manage security vulnerabilities in your dependencies. This guide covers handling Dependabot alerts in Java projects, including automation, analysis, and remediation.

Core Concepts

• Dependabot Alerts: Security vulnerabilities detected in dependencies
• Security Advisories: Published vulnerability information
• Automated Fixes: Dependabot's pull requests for vulnerable dependencies
• Custom Integration: Programmatic access to Dependabot data

GitHub API Integration

1. Dependabot API Client

package com.example.dependabot;
import org.springframework.http.*;
import org.springframework.web.client.RestTemplate;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.util.*;
public class DependabotApiClient {
private final RestTemplate restTemplate;
private final ObjectMapper objectMapper;
private final String githubToken;
private final String baseUrl;
public DependabotApiClient(String githubToken, String baseUrl) {
this.restTemplate = new RestTemplate();
this.objectMapper = new ObjectMapper();
this.githubToken = githubToken;
this.baseUrl = baseUrl;
}
public List<DependabotAlert> getDependabotAlerts(String owner, String repo) {
HttpHeaders headers = createHeaders();
String url = String.format("%s/repos/%s/%s/dependabot/alerts", baseUrl, owner, repo);
ResponseEntity<DependabotAlert[]> response = restTemplate.exchange(
url, HttpMethod.GET, new HttpEntity<>(headers), DependabotAlert[].class);
if (response.getStatusCode() == HttpStatus.OK) {
return Arrays.asList(response.getBody());
} else {
throw new RuntimeException("Failed to fetch Dependabot alerts: " + response.getStatusCode());
}
}
public DependabotAlert getAlert(String owner, String repo, String alertNumber) {
HttpHeaders headers = createHeaders();
String url = String.format("%s/repos/%s/%s/dependabot/alerts/%s", 
baseUrl, owner, repo, alertNumber);
ResponseEntity<DependabotAlert> response = restTemplate.exchange(
url, HttpMethod.GET, new HttpEntity<>(headers), DependabotAlert.class);
if (response.getStatusCode() == HttpStatus.OK) {
return response.getBody();
} else {
throw new RuntimeException("Failed to fetch alert: " + response.getStatusCode());
}
}
public void updateAlertState(String owner, String repo, String alertNumber, 
AlertState state, String reason) {
HttpHeaders headers = createHeaders();
String url = String.format("%s/repos/%s/%s/dependabot/alerts/%s", 
baseUrl, owner, repo, alertNumber);
Map<String, String> requestBody = new HashMap<>();
requestBody.put("state", state.toString().toLowerCase());
if (reason != null) {
requestBody.put("dismissed_reason", reason);
}
HttpEntity<Map<String, String>> request = new HttpEntity<>(requestBody, headers);
ResponseEntity<Void> response = restTemplate.exchange(
url, HttpMethod.PATCH, request, Void.class);
if (response.getStatusCode() != HttpStatus.OK) {
throw new RuntimeException("Failed to update alert state: " + response.getStatusCode());
}
}
public List<DependabotUpdateConfig> getUpdateConfigs(String owner, String repo) {
HttpHeaders headers = createHeaders();
String url = String.format("%s/repos/%s/%s/dependabot/updates", baseUrl, owner, repo);
ResponseEntity<DependabotUpdateConfig[]> response = restTemplate.exchange(
url, HttpMethod.GET, new HttpEntity<>(headers), DependabotUpdateConfig[].class);
if (response.getStatusCode() == HttpStatus.OK) {
return Arrays.asList(response.getBody());
} else {
throw new RuntimeException("Failed to fetch update configs: " + response.getStatusCode());
}
}
private HttpHeaders createHeaders() {
HttpHeaders headers = new HttpHeaders();
headers.set("Authorization", "token " + githubToken);
headers.set("Accept", "application/vnd.github.v3+json");
headers.setContentType(MediaType.APPLICATION_JSON);
return headers;
}
// Data classes
public static class DependabotAlert {
private String number;
private String state;
private Dependency dependency;
private SecurityAdvisory securityAdvisory;
private SecurityVulnerability securityVulnerability;
private String htmlUrl;
private Date createdAt;
private Date updatedAt;
private Date dismissedAt;
private String dismissedBy;
private String dismissedReason;
private String dismissedComment;
// Getters and setters
public String getNumber() { return number; }
public void setNumber(String number) { this.number = number; }
public String getState() { return state; }
public void setState(String state) { this.state = state; }
public Dependency getDependency() { return dependency; }
public void setDependency(Dependency dependency) { this.dependency = dependency; }
public SecurityAdvisory getSecurityAdvisory() { return securityAdvisory; }
public void setSecurityAdvisory(SecurityAdvisory securityAdvisory) { this.securityAdvisory = securityAdvisory; }
public SecurityVulnerability getSecurityVulnerability() { return securityVulnerability; }
public void setSecurityVulnerability(SecurityVulnerability securityVulnerability) { this.securityVulnerability = securityVulnerability; }
public String getHtmlUrl() { return htmlUrl; }
public void setHtmlUrl(String htmlUrl) { this.htmlUrl = htmlUrl; }
public Date getCreatedAt() { return createdAt; }
public void setCreatedAt(Date createdAt) { this.createdAt = createdAt; }
public Date getUpdatedAt() { return updatedAt; }
public void setUpdatedAt(Date updatedAt) { this.updatedAt = updatedAt; }
public Date getDismissedAt() { return dismissedAt; }
public void setDismissedAt(Date dismissedAt) { this.dismissedAt = dismissedAt; }
public String getDismissedBy() { return dismissedBy; }
public void setDismissedBy(String dismissedBy) { this.dismissedBy = dismissedBy; }
public String getDismissedReason() { return dismissedReason; }
public void setDismissedReason(String dismissedReason) { this.dismissedReason = dismissedReason; }
public String getDismissedComment() { return dismissedComment; }
public void setDismissedComment(String dismissedComment) { this.dismissedComment = dismissedComment; }
}
public static class Dependency {
private String packageEcosystem;
private String manifestPath;
private String name;
private String version;
// Getters and setters
public String getPackageEcosystem() { return packageEcosystem; }
public void setPackageEcosystem(String packageEcosystem) { this.packageEcosystem = packageEcosystem; }
public String getManifestPath() { return manifestPath; }
public void setManifestPath(String manifestPath) { this.manifestPath = manifestPath; }
public String getName() { return name; }
public void setName(String name) { this.name = name; }
public String getVersion() { return version; }
public void setVersion(String version) { this.version = version; }
}
public static class SecurityAdvisory {
private String ghsaId;
private String cveId;
private String summary;
private String description;
private String severity;
private List<Reference> references;
private Date publishedAt;
private Date updatedAt;
private Date withdrawnAt;
private List<Vulnerability> vulnerabilities;
// Getters and setters
public String getGhsaId() { return ghsaId; }
public void setGhsaId(String ghsaId) { this.ghsaId = ghsaId; }
public String getCveId() { return cveId; }
public void setCveId(String cveId) { this.cveId = cveId; }
public String getSummary() { return summary; }
public void setSummary(String summary) { this.summary = summary; }
public String getDescription() { return description; }
public void setDescription(String description) { this.description = description; }
public String getSeverity() { return severity; }
public void setSeverity(String severity) { this.severity = severity; }
public List<Reference> getReferences() { return references; }
public void setReferences(List<Reference> references) { this.references = references; }
public Date getPublishedAt() { return publishedAt; }
public void setPublishedAt(Date publishedAt) { this.publishedAt = publishedAt; }
public Date getUpdatedAt() { return updatedAt; }
public void setUpdatedAt(Date updatedAt) { this.updatedAt = updatedAt; }
public Date getWithdrawnAt() { return withdrawnAt; }
public void setWithdrawnAt(Date withdrawnAt) { this.withdrawnAt = withdrawnAt; }
public List<Vulnerability> getVulnerabilities() { return vulnerabilities; }
public void setVulnerabilities(List<Vulnerability> vulnerabilities) { this.vulnerabilities = vulnerabilities; }
}
public static class SecurityVulnerability {
private String packageEcosystem;
private String manifestPath;
private String packageName;
private String severity;
private String vulnerableVersionRange;
private String firstPatchedVersion;
// Getters and setters
public String getPackageEcosystem() { return packageEcosystem; }
public void setPackageEcosystem(String packageEcosystem) { this.packageEcosystem = packageEcosystem; }
public String getManifestPath() { return manifestPath; }
public void setManifestPath(String manifestPath) { this.manifestPath = manifestPath; }
public String getPackageName() { return packageName; }
public void setPackageName(String packageName) { this.packageName = packageName; }
public String getSeverity() { return severity; }
public void setSeverity(String severity) { this.severity = severity; }
public String getVulnerableVersionRange() { return vulnerableVersionRange; }
public void setVulnerableVersionRange(String vulnerableVersionRange) { this.vulnerableVersionRange = vulnerableVersionRange; }
public String getFirstPatchedVersion() { return firstPatchedVersion; }
public void setFirstPatchedVersion(String firstPatchedVersion) { this.firstPatchedVersion = firstPatchedVersion; }
}
public static class DependabotUpdateConfig {
private String targetBranch;
private String directory;
private String packageEcosystem;
private String scheduleInterval;
private String openPullRequestsLimit;
private Boolean ignoreConditions;
private Boolean allow;
private Boolean assignees;
private Boolean commitMessage;
private Boolean labels;
private Boolean rebaseStrategy;
private Boolean reviewers;
private Boolean milestone;
private Boolean versioningStrategy;
// Getters and setters
}
public static class Reference {
private String url;
// Getters and setters
}
public static class Vulnerability {
private String packageEcosystem;
private String packageName;
private String vulnerableVersionRange;
private String firstPatchedVersion;
// Getters and setters
}
public enum AlertState {
DISMISSED, OPEN, FIXED
}
}

Alert Analysis and Management

2. Dependabot Alert Analyzer

package com.example.dependabot;
import java.util.*;
import java.util.stream.Collectors;
public class DependabotAlertAnalyzer {
public AlertAnalysis analyzeAlerts(List<DependabotApiClient.DependabotAlert> alerts) {
AlertAnalysis analysis = new AlertAnalysis();
for (DependabotApiClient.DependabotAlert alert : alerts) {
if ("open".equals(alert.getState())) {
analysis.addOpenAlert(alert);
// Categorize by severity
String severity = alert.getSecurityAdvisory().getSeverity();
analysis.addAlertBySeverity(severity, alert);
// Categorize by ecosystem
String ecosystem = alert.getDependency().getPackageEcosystem();
analysis.addAlertByEcosystem(ecosystem, alert);
// Check if fix is available
if (alert.getSecurityVulnerability().getFirstPatchedVersion() != null) {
analysis.addFixableAlert(alert);
}
}
}
return analysis;
}
public List<DependabotApiClient.DependabotAlert> filterHighSeverityAlerts(
List<DependabotApiClient.DependabotAlert> alerts) {
return alerts.stream()
.filter(alert -> "open".equals(alert.getState()))
.filter(alert -> {
String severity = alert.getSecurityAdvisory().getSeverity();
return "critical".equals(severity) || "high".equals(severity);
})
.collect(Collectors.toList());
}
public Map<String, List<DependabotApiClient.DependabotAlert>> groupByDependency(
List<DependabotApiClient.DependabotAlert> alerts) {
return alerts.stream()
.filter(alert -> "open".equals(alert.getState()))
.collect(Collectors.groupingBy(
alert -> alert.getDependency().getName()
));
}
public List<DependabotApiClient.DependabotAlert> findAlertsWithAvailableFixes(
List<DependabotApiClient.DependabotAlert> alerts) {
return alerts.stream()
.filter(alert -> "open".equals(alert.getState()))
.filter(alert -> alert.getSecurityVulnerability().getFirstPatchedVersion() != null)
.collect(Collectors.toList());
}
public static class AlertAnalysis {
private final List<DependabotApiClient.DependabotAlert> openAlerts = new ArrayList<>();
private final List<DependabotApiClient.DependabotAlert> fixableAlerts = new ArrayList<>();
private final Map<String, List<DependabotApiClient.DependabotAlert>> alertsBySeverity = new HashMap<>();
private final Map<String, List<DependabotApiClient.DependabotAlert>> alertsByEcosystem = new HashMap<>();
public void addOpenAlert(DependabotApiClient.DependabotAlert alert) {
openAlerts.add(alert);
}
public void addFixableAlert(DependabotApiClient.DependabotAlert alert) {
fixableAlerts.add(alert);
}
public void addAlertBySeverity(String severity, DependabotApiClient.DependabotAlert alert) {
alertsBySeverity.computeIfAbsent(severity, k -> new ArrayList<>()).add(alert);
}
public void addAlertByEcosystem(String ecosystem, DependabotApiClient.DependabotAlert alert) {
alertsByEcosystem.computeIfAbsent(ecosystem, k -> new ArrayList<>()).add(alert);
}
// Getters
public List<DependabotApiClient.DependabotAlert> getOpenAlerts() { return openAlerts; }
public List<DependabotApiClient.DependabotAlert> getFixableAlerts() { return fixableAlerts; }
public Map<String, List<DependabotApiClient.DependabotAlert>> getAlertsBySeverity() { return alertsBySeverity; }
public Map<String, List<DependabotApiClient.DependabotAlert>> getAlertsByEcosystem() { return alertsByEcosystem; }
public String getSummary() {
return String.format(
"Open Alerts: %d, Fixable: %d, Critical: %d, High: %d, Medium: %d, Low: %d",
openAlerts.size(),
fixableAlerts.size(),
alertsBySeverity.getOrDefault("critical", Collections.emptyList()).size(),
alertsBySeverity.getOrDefault("high", Collections.emptyList()).size(),
alertsBySeverity.getOrDefault("medium", Collections.emptyList()).size(),
alertsBySeverity.getOrDefault("low", Collections.emptyList()).size()
);
}
}
}

Automated Remediation

3. Dependency Update Service

package com.example.dependabot;
import org.springframework.stereotype.Service;
import java.util.*;
import java.util.regex.Pattern;
@Service
public class DependencyUpdateService {
public List<DependencyUpdate> calculateRequiredUpdates(
List<DependabotApiClient.DependabotAlert> alerts) {
List<DependencyUpdate> updates = new ArrayList<>();
for (DependabotApiClient.DependabotAlert alert : alerts) {
if ("open".equals(alert.getState()) && 
alert.getSecurityVulnerability().getFirstPatchedVersion() != null) {
DependencyUpdate update = createDependencyUpdate(alert);
updates.add(update);
}
}
return updates;
}
private DependencyUpdate createDependencyUpdate(DependabotApiClient.DependabotAlert alert) {
String currentVersion = alert.getDependency().getVersion();
String fixedVersion = alert.getSecurityVulnerability().getFirstPatchedVersion();
String updateType = determineUpdateType(currentVersion, fixedVersion);
return new DependencyUpdate(
alert.getDependency().getName(),
currentVersion,
fixedVersion,
updateType,
alert.getSecurityAdvisory().getSeverity(),
alert.getNumber(),
alert.getSecurityAdvisory().getSummary()
);
}
private String determineUpdateType(String currentVersion, String fixedVersion) {
try {
String[] currentParts = currentVersion.split("\\.");
String[] fixedParts = fixedVersion.split("\\.");
if (currentParts.length >= 1 && fixedParts.length >= 1) {
int currentMajor = Integer.parseInt(currentParts[0]);
int fixedMajor = Integer.parseInt(fixedParts[0]);
if (currentMajor != fixedMajor) {
return "MAJOR";
}
}
if (currentParts.length >= 2 && fixedParts.length >= 2) {
int currentMinor = Integer.parseInt(currentParts[1]);
int fixedMinor = Integer.parseInt(fixedParts[1]);
if (currentMinor != fixedMinor) {
return "MINOR";
}
}
return "PATCH";
} catch (NumberFormatException e) {
// Fallback for non-semantic versions
return "UNKNOWN";
}
}
public String generateMavenUpdateCommand(DependencyUpdate update) {
return String.format(
"mvn versions:use-latest-versions -Dincludes=%s -DallowMajorUpdates=false",
update.getDependencyName()
);
}
public String generateGradleUpdateCommand(DependencyUpdate update) {
return String.format(
"./gradlew useLatestVersions --update-dependency %s",
update.getDependencyName()
);
}
public static class DependencyUpdate {
private final String dependencyName;
private final String currentVersion;
private final String fixedVersion;
private final String updateType;
private final String severity;
private final String alertNumber;
private final String advisorySummary;
public DependencyUpdate(String dependencyName, String currentVersion, 
String fixedVersion, String updateType, String severity,
String alertNumber, String advisorySummary) {
this.dependencyName = dependencyName;
this.currentVersion = currentVersion;
this.fixedVersion = fixedVersion;
this.updateType = updateType;
this.severity = severity;
this.alertNumber = alertNumber;
this.advisorySummary = advisorySummary;
}
// Getters
public String getDependencyName() { return dependencyName; }
public String getCurrentVersion() { return currentVersion; }
public String getFixedVersion() { return fixedVersion; }
public String getUpdateType() { return updateType; }
public String getSeverity() { return severity; }
public String getAlertNumber() { return alertNumber; }
public String getAdvisorySummary() { return advisorySummary; }
@Override
public String toString() {
return String.format("%s: %s -> %s (%s - %s)", 
dependencyName, currentVersion, fixedVersion, updateType, severity);
}
}
}

Integration with CI/CD Pipeline

4. CI/CD Integration Service

package com.example.dependabot;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import java.util.*;
@Service
public class CICDIntegrationService {
@Value("${github.owner}")
private String githubOwner;
@Value("${github.repo}")
private String githubRepo;
@Value("${github.token}")
private String githubToken;
private final DependabotApiClient apiClient;
private final DependabotAlertAnalyzer analyzer;
private final DependencyUpdateService updateService;
public CICDIntegrationService() {
this.apiClient = new DependabotApiClient(githubToken, "https://api.github.com");
this.analyzer = new DependabotAlertAnalyzer();
this.updateService = new DependencyUpdateService();
}
public CIComplianceReport checkCICompliance() {
try {
List<DependabotApiClient.DependabotAlert> alerts = 
apiClient.getDependabotAlerts(githubOwner, githubRepo);
AlertAnalysis analysis = analyzer.analyzeAlerts(alerts);
CIComplianceReport report = new CIComplianceReport();
report.setTotalAlerts(analysis.getOpenAlerts().size());
report.setCriticalAlerts(
analysis.getAlertsBySeverity().getOrDefault("critical", Collections.emptyList()).size());
report.setHighAlerts(
analysis.getAlertsBySeverity().getOrDefault("high", Collections.emptyList()).size());
// Check compliance against thresholds
boolean isCompliant = report.getCriticalAlerts() == 0 && report.getHighAlerts() == 0;
report.setCompliant(isCompliant);
if (!isCompliant) {
report.setFailureReason(
String.format("Found %d critical and %d high severity alerts", 
report.getCriticalAlerts(), report.getHighAlerts()));
}
return report;
} catch (Exception e) {
CIComplianceReport errorReport = new CIComplianceReport();
errorReport.setCompliant(false);
errorReport.setFailureReason("Failed to fetch Dependabot alerts: " + e.getMessage());
return errorReport;
}
}
public AutomatedFixReport generateAutomatedFixes() {
try {
List<DependabotApiClient.DependabotAlert> alerts = 
apiClient.getDependabotAlerts(githubOwner, githubRepo);
List<DependabotApiClient.DependabotAlert> fixableAlerts = 
analyzer.findAlertsWithAvailableFixes(alerts);
List<DependencyUpdateService.DependencyUpdate> updates = 
updateService.calculateRequiredUpdates(fixableAlerts);
AutomatedFixReport report = new AutomatedFixReport();
report.setFixableAlerts(fixableAlerts.size());
report.setRecommendedUpdates(updates);
// Generate update commands
List<String> mavenCommands = new ArrayList<>();
List<String> gradleCommands = new ArrayList<>();
for (DependencyUpdateService.DependencyUpdate update : updates) {
mavenCommands.add(updateService.generateMavenUpdateCommand(update));
gradleCommands.add(updateService.generateGradleUpdateCommand(update));
}
report.setMavenUpdateCommands(mavenCommands);
report.setGradleUpdateCommands(gradleCommands);
return report;
} catch (Exception e) {
AutomatedFixReport errorReport = new AutomatedFixReport();
errorReport.setSuccess(false);
errorReport.setError("Failed to generate automated fixes: " + e.getMessage());
return errorReport;
}
}
public void autoDismissFalsePositives() {
try {
List<DependabotApiClient.DependabotAlert> alerts = 
apiClient.getDependabotAlerts(githubOwner, githubRepo);
for (DependabotApiClient.DependabotAlert alert : alerts) {
if (shouldAutoDismiss(alert)) {
apiClient.updateAlertState(
githubOwner, githubRepo, alert.getNumber(),
DependabotApiClient.AlertState.DISMISSED, "false_positive");
System.out.println("Auto-dismissed alert: " + alert.getNumber());
}
}
} catch (Exception e) {
System.err.println("Failed to auto-dismiss false positives: " + e.getMessage());
}
}
private boolean shouldAutoDismiss(DependabotApiClient.DependabotAlert alert) {
// Implement your logic for auto-dismissal
// Example: Dismiss low-severity alerts in test dependencies
return "low".equals(alert.getSecurityAdvisory().getSeverity()) &&
isTestDependency(alert.getDependency());
}
private boolean isTestDependency(DependabotApiClient.Dependency dependency) {
String name = dependency.getName().toLowerCase();
return name.contains("junit") || name.contains("mockito") || 
name.contains("testcontainers") || name.contains("assertj");
}
public static class CIComplianceReport {
private boolean compliant;
private String failureReason;
private int totalAlerts;
private int criticalAlerts;
private int highAlerts;
// Getters and setters
public boolean isCompliant() { return compliant; }
public void setCompliant(boolean compliant) { this.compliant = compliant; }
public String getFailureReason() { return failureReason; }
public void setFailureReason(String failureReason) { this.failureReason = failureReason; }
public int getTotalAlerts() { return totalAlerts; }
public void setTotalAlerts(int totalAlerts) { this.totalAlerts = totalAlerts; }
public int getCriticalAlerts() { return criticalAlerts; }
public void setCriticalAlerts(int criticalAlerts) { this.criticalAlerts = criticalAlerts; }
public int getHighAlerts() { return highAlerts; }
public void setHighAlerts(int highAlerts) { this.highAlerts = highAlerts; }
}
public static class AutomatedFixReport {
private boolean success = true;
private String error;
private int fixableAlerts;
private List<DependencyUpdateService.DependencyUpdate> recommendedUpdates;
private List<String> mavenUpdateCommands;
private List<String> gradleUpdateCommands;
// Getters and setters
public boolean isSuccess() { return success; }
public void setSuccess(boolean success) { this.success = success; }
public String getError() { return error; }
public void setError(String error) { this.error = error; }
public int getFixableAlerts() { return fixableAlerts; }
public void setFixableAlerts(int fixableAlerts) { this.fixableAlerts = fixableAlerts; }
public List<DependencyUpdateService.DependencyUpdate> getRecommendedUpdates() { return recommendedUpdates; }
public void setRecommendedUpdates(List<DependencyUpdateService.DependencyUpdate> recommendedUpdates) { this.recommendedUpdates = recommendedUpdates; }
public List<String> getMavenUpdateCommands() { return mavenUpdateCommands; }
public void setMavenUpdateCommands(List<String> mavenUpdateCommands) { this.mavenUpdateCommands = mavenUpdateCommands; }
public List<String> getGradleUpdateCommands() { return gradleUpdateCommands; }
public void setGradleUpdateCommands(List<String> gradleUpdateCommands) { this.gradleUpdateCommands = gradleUpdateCommands; }
}
}

Reporting and Notification

5. Alert Reporting Service

package com.example.dependabot;
import org.springframework.mail.SimpleMailMessage;
import org.springframework.mail.javamail.JavaMailSender;
import org.springframework.stereotype.Service;
import java.util.*;
@Service
public class AlertReportingService {
private final JavaMailSender mailSender;
private final DependabotApiClient apiClient;
public AlertReportingService(JavaMailSender mailSender, DependabotApiClient apiClient) {
this.mailSender = mailSender;
this.apiClient = apiClient;
}
public void sendDailyAlertReport(String owner, String repo, String[] recipients) {
try {
List<DependabotApiClient.DependabotAlert> alerts = 
apiClient.getDependabotAlerts(owner, repo);
AlertReport report = generateDailyReport(alerts);
SimpleMailMessage message = new SimpleMailMessage();
message.setTo(recipients);
message.setSubject(String.format("Dependabot Alert Report - %s/%s", owner, repo));
message.setText(formatReportEmail(report));
mailSender.send(message);
} catch (Exception e) {
System.err.println("Failed to send daily alert report: " + e.getMessage());
}
}
public void sendCriticalAlertNotification(DependabotApiClient.DependabotAlert alert, 
String[] recipients) {
SimpleMailMessage message = new SimpleMailMessage();
message.setTo(recipients);
message.setSubject("🚨 CRITICAL Dependabot Alert: " + 
alert.getSecurityAdvisory().getSummary());
message.setText(formatCriticalAlertEmail(alert));
mailSender.send(message);
}
private AlertReport generateDailyReport(List<DependabotApiClient.DependabotAlert> alerts) {
AlertReport report = new AlertReport();
report.setReportDate(new Date());
Map<String, Integer> severityCounts = new HashMap<>();
Map<String, Integer> ecosystemCounts = new HashMap<>();
for (DependabotApiClient.DependabotAlert alert : alerts) {
if ("open".equals(alert.getState())) {
report.addOpenAlert(alert);
String severity = alert.getSecurityAdvisory().getSeverity();
severityCounts.merge(severity, 1, Integer::sum);
String ecosystem = alert.getDependency().getPackageEcosystem();
ecosystemCounts.merge(ecosystem, 1, Integer::sum);
}
}
report.setSeverityCounts(severityCounts);
report.setEcosystemCounts(ecosystemCounts);
return report;
}
private String formatReportEmail(AlertReport report) {
StringBuilder sb = new StringBuilder();
sb.append("Dependabot Security Alert Report\n");
sb.append("================================\n\n");
sb.append("Report Date: ").append(report.getReportDate()).append("\n");
sb.append("Total Open Alerts: ").append(report.getOpenAlerts().size()).append("\n\n");
sb.append("Breakdown by Severity:\n");
report.getSeverityCounts().forEach((severity, count) -> 
sb.append("  ").append(severity.toUpperCase()).append(": ").append(count).append("\n"));
sb.append("\nBreakdown by Ecosystem:\n");
report.getEcosystemCounts().forEach((ecosystem, count) -> 
sb.append("  ").append(ecosystem).append(": ").append(count).append("\n"));
sb.append("\nCritical Alerts:\n");
report.getOpenAlerts().stream()
.filter(alert -> "critical".equals(alert.getSecurityAdvisory().getSeverity()))
.limit(5)
.forEach(alert -> sb.append("  - ").append(alert.getDependency().getName())
.append(": ").append(alert.getSecurityAdvisory().getSummary()).append("\n"));
sb.append("\nView all alerts: https://github.com/").append(report.getOwner())
.append("/").append(report.getRepo()).append("/security/dependabot");
return sb.toString();
}
private String formatCriticalAlertEmail(DependabotApiClient.DependabotAlert alert) {
return String.format(
"CRITICAL SECURITY ALERT\n\n" +
"Dependency: %s\n" +
"Version: %s\n" +
"Advisory: %s\n" +
"Description: %s\n\n" +
"First Patched Version: %s\n\n" +
"View Alert: %s\n\n" +
"Recommended Action: Update to version %s immediately",
alert.getDependency().getName(),
alert.getDependency().getVersion(),
alert.getSecurityAdvisory().getSummary(),
alert.getSecurityAdvisory().getDescription(),
alert.getSecurityVulnerability().getFirstPatchedVersion(),
alert.getHtmlUrl(),
alert.getSecurityVulnerability().getFirstPatchedVersion()
);
}
public void generateSlackNotification(AlertReport report, String webhookUrl) {
// Implementation for Slack webhook integration
// This would send a formatted message to a Slack channel
}
public static class AlertReport {
private Date reportDate;
private String owner;
private String repo;
private List<DependabotApiClient.DependabotAlert> openAlerts = new ArrayList<>();
private Map<String, Integer> severityCounts = new HashMap<>();
private Map<String, Integer> ecosystemCounts = new HashMap<>();
// Getters and setters
public Date getReportDate() { return reportDate; }
public void setReportDate(Date reportDate) { this.reportDate = reportDate; }
public String getOwner() { return owner; }
public void setOwner(String owner) { this.owner = owner; }
public String getRepo() { return repo; }
public void setRepo(String repo) { this.repo = repo; }
public List<DependabotApiClient.DependabotAlert> getOpenAlerts() { return openAlerts; }
public void setOpenAlerts(List<DependabotApiClient.DependabotAlert> openAlerts) { this.openAlerts = openAlerts; }
public void addOpenAlert(DependabotApiClient.DependabotAlert alert) { this.openAlerts.add(alert); }
public Map<String, Integer> getSeverityCounts() { return severityCounts; }
public void setSeverityCounts(Map<String, Integer> severityCounts) { this.severityCounts = severityCounts; }
public Map<String, Integer> getEcosystemCounts() { return ecosystemCounts; }
public void setEcosystemCounts(Map<String, Integer> ecosystemCounts) { this.ecosystemCounts = ecosystemCounts; }
}
}

Configuration and Setup

6. Spring Boot Configuration

package com.example.dependabot.config;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.example.dependabot.DependabotApiClient;
@Configuration
public class DependabotConfig {
@Value("${github.token}")
private String githubToken;
@Value("${github.api.url:https://api.github.com}")
private String githubApiUrl;
@Bean
public DependabotApiClient dependabotApiClient() {
return new DependabotApiClient(githubToken, githubApiUrl);
}
}
// application.yml
github:
token: ${GITHUB_TOKEN}
owner: your-organization
repo: your-repository
api:
url: https://api.github.com
mail:
host: smtp.gmail.com
port: 587
username: ${EMAIL_USERNAME}
password: ${EMAIL_PASSWORD}
properties:
mail:
smtp:
auth: true
starttls:
enable: true
# Dependabot configuration thresholds
dependabot:
compliance:
max-critical: 0
max-high: 0
max-total: 10
reporting:
daily-recipients: "[email protected]"
critical-recipients: "[email protected]"

Usage Examples

7. Main Application Runner

package com.example.dependabot;
import org.springframework.boot.CommandLineRunner;
import org.springframework.stereotype.Component;
@Component
public class DependabotRunner implements CommandLineRunner {
private final CICDIntegrationService ciCdService;
private final AlertReportingService reportingService;
public DependabotRunner(CICDIntegrationService ciCdService, 
AlertReportingService reportingService) {
this.ciCdService = ciCdService;
this.reportingService = reportingService;
}
@Override
public void run(String... args) throws Exception {
if (args.length > 0) {
switch (args[0]) {
case "check-compliance":
checkCompliance();
break;
case "generate-fixes":
generateFixes();
break;
case "daily-report":
sendDailyReport();
break;
case "auto-dismiss":
autoDismissFalsePositives();
break;
default:
System.out.println("Unknown command: " + args[0]);
}
}
}
private void checkCompliance() {
CICDIntegrationService.CIComplianceReport report = ciCdService.checkCICompliance();
if (report.isCompliant()) {
System.out.println("✅ Dependabot compliance check PASSED");
} else {
System.out.println("❌ Dependabot compliance check FAILED");
System.out.println("Reason: " + report.getFailureReason());
System.exit(1);
}
}
private void generateFixes() {
CICDIntegrationService.AutomatedFixReport report = ciCdService.generateAutomatedFixes();
if (report.isSuccess()) {
System.out.println("Found " + report.getFixableAlerts() + " fixable alerts");
System.out.println("\nRecommended Maven commands:");
report.getMavenUpdateCommands().forEach(System.out::println);
System.out.println("\nRecommended Gradle commands:");
report.getGradleUpdateCommands().forEach(System.out::println);
} else {
System.err.println("Failed to generate fixes: " + report.getError());
}
}
private void sendDailyReport() {
// This would be scheduled to run daily
reportingService.sendDailyAlertReport(
"your-org", "your-repo", 
new String[]{"[email protected]"});
}
private void autoDismissFalsePositives() {
ciCdService.autoDismissFalsePositives();
}
}

This comprehensive Dependabot alerts management system provides:

1. API Integration with GitHub's Dependabot API
2. Alert Analysis and categorization
3. Automated Remediation suggestions
4. CI/CD Integration for compliance checking
5. Reporting and Notifications for team awareness
6. False Positive Management with auto-dismissal rules

The system can be integrated into your development workflow to automatically manage security vulnerabilities and ensure compliance with your organization's security policies.