Reviewing and fixing dependency risks
Advanced Security is only available in SonarQube Server, as an add-on starting in Enterprise Edition.
SonarQube Server lets you manage dependency risks, mark them as safe, confirmed, or accepted, and assign them to other members of your team.
Permissions
On private projects, applications, and portfolios, the following permissions apply:
- Browse: access, browse, confirm dependency risks, change assignee.
- Administer issues: change risk severity, resolve risks as Accepted or Safe.
Anyone is allowed to browse dependency risks on public projects, applications and portfolios.
Changing the status of a dependency risk requires the Administer Issues permission.
Reviewing and fixing dependency risks
Navigate to the Dependency Risks tab located under Projects, Applications and Portfolios.
Use Filters in the left side bar to narrow down the results. You can filter the results by:
- Risk type: Vulnerability and Prohibited license
- Risk severity: Blocker, High, Medium, Low, or Info
- Software quality: Security, Maintainability
- Dependency type: Direct or Transitive
- Dependency scope: Production or Development
- Package manager: See Analyzing project for dependencies for a list of supported package managers and languages.
- Status: Accepted, Confirmed, Open, Fixed, Safe
- Assignee: Type in the name of the person assigned and select it from the list.
From there, you can sort the list of results:
- by choosing the sorting criteria from the Sort by dropdown menu
- by vulnerability name by entering a vulnerability ID (such as CVE-2022-38392) into the search box
The following information is displayed for each dependency risk in the list:
- Descriptive title of the dependency risk. Click on the title to open a detailed view.
- Software quality, risk type, and severity
- Status: Open, Confirmed, Accepted, Safe
- Assignee of the risk
- Amount of time that has passed since the risk was first detected
- Affected dependency and version
Understanding the risk types
Each dependency risk has an assigned risk type:
- Vulnerability: When a third-party dependency is affected by a publicly reported vulnerability, such as a record on CVE.org
- Prohibited License: When a third-party dependency has a software license not allowed by the project's associated license profile and policy.
Changing dependency status and assigning risks
Dependency risk lifecycle
A dependency risk can have the following statuses:
- Open: Initial state of a dependency risk after analysis. The risk has not been yet reviewed.
- Confirmed: Indicates that the dependency risk has been reviewed and the risk is valid.
- Accepted: The risk is valid but it may not be fixed for a while.
- Safe: Indicates that the dependency risk does not compromise the security of the software. A mandatory justification must be provided.
To change the status of the dependency risk, click the Change Status button to open a modal. From the Status dropdown list select a new status for the risk and enter a description for the change in the Explain your decision text box.
Assigning a dependency risk
You can delegate a review of dependency risks to other team members by clicking the Unassigned dropdown menu and entering a name. You can also assign the risk to yourself.
Email notifications
If you have subscribed to email notifications for a project, note that the notifications that apply to issues also apply to dependency risks.
Detailed view
Clicking the title of the dependency risk in the list of results opens its detailed view page:
- Details of the dependency risk, including Risk type, Risk Severity, First detected, Assignee, and Status.
- What’s the Risk? and How can I fix it? allow you to review information about the dependency risk, the factors affecting the risk’s severity, and information about currently used dependency versions and fixes.
- Affected dependencies shows the dependency version that raised the risk, dependency type, package manager and the associated risks. Click the View all risks for this dependency for a full list.
What’s the risk?
Sonar uses a holistic approach to determine the severity of a dependency risk. The methods used depend on the associated risk type.
Vulnerability risk
The risk evaluation is based on the following factors:
- Severity: Evaluates the technical severity of a vulnerability based on an assessment by CVSS.
- Known exploited: Shows if the risk has been actively exploited in the wild. It’s measured by KEV.
- Chance of future exploitation: Estimates the likelihood (percentage) of a software vulnerability being exploited in the wild over the next 30 days. It’s measured by EPSS.
Sonar combines these factors to assign a severity to a discovered vulnerability to ensure that developers are prioritizing the most urgent risk in their applications.
Following is a list of the severity levels and their definitions.
| Risk severity | Definition |
| Blocker | A vulnerability is on the CISA KEV list. |
| High | Vulnerability has both:
|
| Medium | Any other vulnerability that has both:
|
| Low | Any remaining vulnerability that does not fit into another category. |
| Info | Any of the following is true:
Note: this categorization for Info overrides any criteria that would place the risk into Critical, High, or Low severity. |
Prohibited license risk
The dependency risk for prohibited license risk type depends on the configuration of your instance’s license profile and policy. The What’s the risk? tab provides information about the risk associated with the license and links to relevant resources. For more information, see Managing license profiles and policies.
How can I fix it?
Vulnerability
The How can I fix it? tab displays information about dependency versions, starting with the latest, and available fixes.
The following options are available:
- Complete fix: A dependency version that fixes all associated vulnerabilities.
- Partial fix: A dependency version that fixes the vulnerability but not all other vulnerabilities associated with the dependency.
- Affected version: A dependency version for which the vulnerability was detected.
Prohibited license
The dependency risk for prohibited license risk type depends on the configuration of your instance’s license profile and policy. The How can I fix it? tab provides information about different license categories and links to relevant resources. In general, resolving a license risk will require choosing a different software package to use instead. For more information, see Managing license profiles and policies.
Setting a license profile and policy
Instance admins can configure a license profile and policy to define which licenses are allowed or prohibited for the dependencies used in your projects or the whole instance. For more information, see Managing license profiles and policies.
Dependency risks in quality gates
The Project overview page displays dependency risks and indicates whether they pass or fail the associated quality gate.
As a quality gate administrator, you can configure quality gate conditions for Prohibited license and Vulnerability types for new and overall code, or set limits on the number or severity of dependency risks that will cause the quality gate to fail. See Managing custom quality gates for more information.
If your organization has recently purchased the Advanced Security package, you will have to create a custom quality gate to make sure no new dependency risks are introduced in your projects.
See Understanding measures and metrics for more information about Advanced Security metrics used in quality gates.
Related pages
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
