Dependency risks

SonarQube Advanced Security is an Enterprise add-on that extends SonarQube’s capabilities by offering deeper security analysis and compliance-focused features.

In connected mode, you can see the results from SonarQube Server’s Advanced security tools for Software composition analysis (SCA), directly in the Visual Studio UI. This includes:

  • vulnerabilities in your third-party open source dependencies.

  • seeing where your open source dependencies may be in conflict with your organization’s license policies.

Prerequisites

  • SonarQube Server Enterprise edition, version 2025.4 or later

  • Having the Advanced Security add-on with Software Composition Analysis (SCA) enabled on your SonarQube Server instance.

  • Running SonarQube for IntelliJ in connected mode with SonarQube Server. See the pages on Connected mode and Connected mode setup for more details.

How to view your dependency risks

In SonarQube for IntelliJ, dependency risks are displayed in the SonarQube for IDE > Findings tab, under the Dependency Risks filter. It is important that you switch the filter to include All Files because dependency risks apply to the whole project (not just your open file).

  1. Be sure that the Dependency Risks filter is selected.

  2. Select Show Filters.

  3. Set your Scope to All Files.

For each dependency risk, the following information is displayed:

  • Risk type: Vulnerability and Prohibited license

  • Risk severity: Blocker, High, Medium, Low, or Info

  • Package name

  • Package version

You can select a risk to open it in SonarQube Server to get more details.

Fixing dependency risks

Because dependency risk analysis requires that you run in connected mode, any changes you make to the code must be analyzed by your instance of SonarQube Server. Here are two options to resolve dependency risks displayed by SonarQube for IntelliJ:

  • After you fix the dependency risk in your IDE, commit your code to the server and rerun the analysis on SonarQube Server. The new status of the risk will be reflected in your IDE.

  • Mark the dependency risk as Confirmed, Accepted, or Safe directly from the IntelliJ UI or in SonarQube Server. You can also add comments. The status update is then reflected in IntelliJ or SonarQube Server.

PreviousInjection vulnerabilitiesNextFile exclusions

Last updated

Was this helpful?