Start Free
Latest | Advanced security | Reviewing and fixing dependency risks

Reviewing and fixing dependency risks

On this page

Permissions Reviewing and fixing dependency risks Understanding the risk types Changing dependency status and assigning risks Detailed view What’s the risk? How can I fix it? Setting a license profile and policy Dependency risks in quality gates Related pages

Advanced Security is only available in SonarQube Server, as an add-on starting in Enterprise Edition.

SonarQube Server lets you manage dependency risks, mark them as safe, confirmed, or accepted, and assign them to other members of your team.

Permissions

On private projects, applications, and portfolios, the following permissions apply:

  • Browse: access, browse, confirm dependency risks, change assignee.
  • Administer issues: change risk severity, resolve risks as Accepted or Safe.

Anyone is allowed to browse dependency risks on public projects, applications and portfolios.

Changing the status of a dependency risk requires the Administer Issues permission. 

Reviewing and fixing dependency risks

Navigate to the Dependency Risks tab located under Projects, Applications and Portfolios.

The SonarQube Server Dependency risks tab.

Use Filters in the left side bar to narrow down the results. You can filter the results by:

  • Risk type: Vulnerability and Prohibited license
  • Risk severity: Blocker, High, Medium, Low, or Info
  • Software quality: Security, Maintainability
  • Dependency type: Direct or Transitive
  • Dependency scope: Production or Development
  • Package manager: See Analyzing project for dependencies for a list of supported package managers and languages.
  • Status: Accepted, Confirmed, Open, Fixed, Safe
  • Assignee: Type in the name of the person assigned and select it from the list.

From there, you can sort the list of results:

    • by choosing the sorting criteria from the Sort by dropdown menu
    • by vulnerability name by entering a vulnerability ID (such as CVE-2022-38392) into the search box

The following information is displayed for each dependency risk in the list:

Information on each dependency risk card.
  1. Descriptive title of the dependency risk. Click on the title to open a detailed view.
  2. Software quality, risk type, and severity
  3. Status: Open, Confirmed, Accepted, Safe
  4. Assignee of the risk
  5. Amount of time that has passed since the risk was first detected
  6. Affected dependency and version

Understanding the risk types

Each dependency risk has an assigned risk type:

  • Vulnerability: When a third-party dependency is affected by a publicly reported vulnerability, such as a record on CVE.org
  • Prohibited License: When a third-party dependency has a software license not allowed by the project's associated license profile and policy.

Changing dependency status and assigning risks

Dependency risk lifecycle

A dependency risk can have the following statuses:

  • Open: Initial state of a dependency risk after analysis. The risk has not been yet reviewed.
  • Confirmed: Indicates that the dependency risk has been reviewed and the risk is valid.
  • Accepted: The risk is valid but it may not be fixed for a while. 
  • Safe: Indicates that the dependency risk does not compromise the security of the software. A mandatory justification must be provided.

To change the status of the dependency risk, click the Change Status button to open a modal. From the Status dropdown list select a new status for the risk and enter a description for the change in the Explain your decision text box.

Assigning a dependency risk

You can delegate a review of dependency risks to other team members by clicking the Unassigned dropdown menu and entering a name. You can also assign the risk to yourself.

Email notifications

If you have subscribed to email notifications for a project, note that the notifications that apply to issues also apply to dependency risks.

Detailed view

Clicking the title of the dependency risk in the list of results opens its detailed view page:

A dependency risk's detailed view.
  1. Details of the dependency risk, including Risk type, Risk Severity, First detected, Assignee, and Status.
  2. What’s the Risk? and How can I fix it? allow you to review information about the dependency risk, the factors affecting the risk’s severity, and information about currently used dependency versions and fixes.
  3. Affected dependencies shows the dependency version that raised the risk, dependency type, package manager and the associated risks. Click the View all risks for this dependency for a full list.

What’s the risk?

Sonar uses a holistic approach to determine the severity of a dependency risk. The methods used depend on the associated risk type.

The "What's the risk" tab in the UI.

Vulnerability risk

Sonar partners with select open source maintainers to uphold their software to secure development practices. As part of this partnership, Sonar-partnered maintainers provide guidance on vulnerabilities. This guidance includes:

  • Whether the vulnerability is real, or a false positive
  • How likely it is that the vulnerability will affect typical usage
  • Whether the vulnerability affects development or test usage, or only production usage
  • What workarounds, if any, are available
  • What specific functions or methods are affected
Insights from the maintainer in the detailed view of the dependency risks tab.

This guidance ensures that developers have comprehensive information to speed up remediation times.

Risk evaluation

The risk evaluation is based on the following factors:

  • Severity: Evaluates the technical severity of a vulnerability based on an assessment by CVSS.
  • Known exploited: Shows if the risk has been actively exploited in the wild. It’s measured by KEV.
  • Chance of future exploitation: Estimates the likelihood (percentage) of a software vulnerability being exploited in the wild over the next 30 days. It’s measured by EPSS.

Sonar combines these factors to assign a severity to a discovered vulnerability to ensure that developers are prioritizing the most urgent risk in their applications.

Risk severities

The table below lists the risk severities and their definition:

Risk severityDefinition
BlockerA vulnerability is on the CISA KEV list.
High

Vulnerability has both:

  • High exploitability (an EPSS probability greater than 5%)
  • High risk (a CVSS score over 7.0)
Medium

Any other vulnerability that has both:

  • Moderate or unknown exploitability (an EPSS probability greater than 0.5%, or no EPSS scoring)
  • Moderate risk (a CVSS score over 4.0)
LowAny remaining vulnerability that does not fit into another category.
Info

Any of the following is true:

  • A Tidelift or Sonar partnered maintainer has declared the vulnerability a false positive
  • The vulnerability has been declared as withdrawn by a vulnerability source (NIST, OSV)

Note: this categorization for Info overrides any criteria that would place the risk into Critical, High, or Low severity.

Prohibited license risk

The dependency risk for prohibited license risk type depends on the configuration of your instance’s license profile and policy. The What’s the risk? tab provides information about the risk associated with the license and links to relevant resources. For more information, see Managing license profiles and policies.

How can I fix it?

Vulnerability

The How can I fix it? tab displays information about dependency versions, starting with the latest, and available fixes. 

The "How can I fix it" tab for dependency risks in the SonarQube Server UI.

The following options are available:

  • Complete fix: A dependency version that fixes all associated vulnerabilities.
  • Partial fix: A dependency version that fixes the vulnerability but not all other vulnerabilities associated with the dependency.
  • Affected version: A dependency version for which the vulnerability was detected.

Prohibited license

The dependency risk for prohibited license risk type depends on the configuration of your instance’s license profile and policy. The How can I fix it? tab provides information about different license categories and links to relevant resources. In general, resolving a license risk will require choosing a different software package to use instead. For more information, see Managing license profiles and policies.

Setting a license profile and policy

Instance admins can configure a license profile and policy to define which licenses are allowed or prohibited for the dependencies used in your projects or the whole instance. For more information, see Managing license profiles and policies.

Dependency risks in quality gates

The Project overview page displays dependency risks and indicates whether they pass or fail the associated quality gate.

As a quality gate administrator, you can configure quality gate conditions for Prohibited license and Vulnerability types for new and overall code, or set limits on the number or severity of dependency risks that will cause the quality gate to fail. See Managing custom quality gates for more information.

See Understanding measures and metrics for more information about Advanced Security metrics used in quality gates. 

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License