In rare occasions when remediating violations you may run into the following problems:
- Error Messaging - Transitive Dependency check for this component took too long to compute
- Recommendation and version graph taking too long to load ~ 15 min
While a large majority (~ 99%) of our observed remediation results are delivered in the order of seconds, sometimes things take a little longer. We’ve encountered this with components such as aws-sdk-java and aws-java-sdk (that are released daily). If you have not migrated to a newer version of these components for a while; one of two things may occur:
- You’d see an error - Transitive Dependency check for this component took too long to compute. The dependency check may take too long (due to number. of versions being abnormally large) and may not complete in time. This is why you’d see the error.
OR - Recommendations and version graph take a long time to load. In this case the request completes in time but the response payloads are large (due to the abnormally large no. of evaluated versions) . This can then take some time to download (based on your network configuration) and subsequently render.
Identifying security vulnerabilities with these components remains unaffected.
How to mitigate
With IQ server v139; administrators can choose to disable the transitive solver capability entirely. This can be achieved via the following POST request :
POST
http:// <URL_to_iq_server>/api/experimental/config/features/transitiveSolverDisable
Users would no longer be able to view recommendations that remediate both direct and transitive risk.
In order to enable transitive solver again, an administrator can simply call the same endpoint with a DELETE request
DELETE
http:// <URL_to_iq_server>/api/experimental/config/features/transitiveSolverDisable
which should help users view recommendations that remediate both direct and transitive risk once again.