A method and system for remediating vulnerable code libraries, including open source libraries, in a software application. An application that uses code libraries and information regarding known library vulnerabilities are received, then it identifies one or more libraries in the application that are vulnerable based upon the information. For each of the one or more vulnerable libraries, a library version that minimizes risk is determined. The determined library version is incorporated into the application to form a test application, and an application test is performed on the test application. If an application test score on the test application is below a predetermined threshold, the determined library version is incorporated into a final application precursor. A final application can be determined from the final application precursor for each of the one or more vulnerable libraries.