# Dependency risks

In connected mode, you can see the results from SonarQube (Server, Cloud) [Advanced Security](/sonarqube-cloud/advanced-security.md) tools for Software composition analysis (SCA), directly in the Visual Studio UI. This includes:

* vulnerabilities in your third-party open source dependencies.
* seeing where your open source dependencies may be in conflict with your organization’s license policies.

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

* Using SonarQube Server Enterprise edition version 2025.4 or later, or SonarQube Cloud with the Enterprise Plan.
* Having the Advanced Security add-on with SCA enabled. SCA is enabled by default in SonarQube Cloud and must be manually activated in SonarQube Server.
* Running SonarQube for Visual Studio in connected mode with SonarQube (Server, Cloud). See the pages on [Connected mode](/sonarqube-for-visual-studio/connect-your-ide/connected-mode.md) and [Connected mode setup](/sonarqube-for-visual-studio/connect-your-ide/setup.md) for more details.

## How to view your dependency risks <a href="#how-to-view-your-dependency-risks" id="how-to-view-your-dependency-risks"></a>

To see dependency risks in SonarQube for Visual Studio, go to **Extensions** > **SonarQube** > **Connected Mode** > **View SonarQube Report**. The list of dependency risks is displayed in the **SonarQube Report** tool window, which also lists security hotspots and taint vulnerabilities.

Dependency risks can be filtered by severity and status, and you can choose to display the dependency risks found for the current document or the open documents.

Deselect the **Issues**, **Security Hotspots**, and **Taint Vulnerabilities** filters to isolate your **Dependency Risks**. Select the **Filter** icon to expose the option to choose severity and status.

<div align="left"><figure><img src="/files/8CqHXwT3bz4lFakzAuLf" alt="Dependency risks in the SonarQube Report tool window." width="563"><figcaption></figcaption></figure></div>

For each dependency risk, the following information is displayed:

* **Risk type**: Vulnerability and Prohibited license
* **Risk severity**: Blocker, High, Medium, Low, or Info
* **Package name**
* **Package version**

To get more details on a dependency risk, select it and open it in SonarQube Server or SonarQube Cloud to get more details.

## Fixing dependency risks <a href="#fixing-dependency-risks" id="fixing-dependency-risks"></a>

Because dependency risk analysis requires that you run in connected mode, any changes you make to the code must be analyzed by your instance of SonarQube Server or SonarQube Cloud.

Here are two options to resolve dependency risks displayed by SonarQube for Visual Studio:

* After you fix the dependency risk in your IDE, commit your code and trigger a new analysis on SonarQube Server or SonarQube Cloud. The new status of the risk will be reflected in your IDE.
* Mark the dependency risk as **Confirmed**, **Accepted**, or **Safe** directly from the Visual Studio UI or in SonarQube Server or SonarQube Cloud. You can also add comments. The status update is then reflected in Visual Studio and SonarQube (Server, Cloud). \\


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-for-visual-studio/using/dependency-risks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.