Start Free
Latest | Project administration | Managing dependencies

Managing dependencies

On this page

Viewing the list of dependencies for a project Reviewing and fixing dependency risks Getting the software bill of materials (SBOM) for your project Customizing the dependency analysis Troubleshooting

SonarQube Server can perform software composition analysis (SCA). When you analyze a project, SonarQube Server lists its dependencies and the dependency risks raised during analysis (if any). You can also export the software bill of materials (SBOM) for your project.

Dependency analysis is available for the following languages: 

  • JavaScript/TypeScript
  • Java (Maven, Gradle)
  • Python
  • C# / .NET

Viewing the list of dependencies for a project

After you analyze a project, a list of dependencies becomes available in the SonarQube Server UI under the Dependencies tab. It is updated with each analysis. 

The following information is displayed for each dependency:

  • Name
  • Version
  • Location in the project
  • Package manager
  • License
  • Whether it is used at runtime or during development

Click on a dependency in the list to get a detailed view page for that dependency. 

About dependency chains

Because your project can be built using components that are themselves built using other components, a dependency can be direct or transitive

For example In a Project > Component 1  > Component 2 scenario: 

  • the dependency between Project and Component 1 is direct 
  • the dependency between Project and Component 2 is transitive because Component 1 is built using Component 2

In the SonarQube Server UI, the detailed view of a dependency lets you know if it is direct or transitive. If it is transitive, the full path to the dependency is displayed.

Reviewing and fixing dependency risks

From your project’s page, go to the Dependency risks tab to see the list of dependency risks for your project. From there, you can Sort dependency risks and apply Filters.

Each dependency risk has an assigned type and severity.  

Clicking a dependency risk in the list opens its detailed view. From there: 

  • the Affected dependency section provides details on the dependency that raised the risk
  • the What is the Risk? tab gives you more information about the dependency risk
  • the How can I Fix it? tab lists the known dependency versions and indicates if upgrading to that version will partially or completely fix the dependency issue

How Sonar evaluates dependency risk priority

Sonar uses a holistic approach to determine the severity of a dependency risk. The evaluation is based on four factors:

  • Risk - how bad is the vulnerability
  • Evidence of exploitability - has it been seen to be exploited
  • Predicted exploitability - is it likely to be exploited in the future

Sonar combines these factors to assign a severity to a discovered vulnerability. The table below lists the severity levels and their definition.

Sonar dependency risk severityDefinition
Blocker
  • A vulnerability is on the CISA KEV list


High
  • Vulnerability has both:
    • High exploitability (an EPSS probability greater than 5%)
    • High risk (a CVSS score over 7.0)
Medium
  • Any other vulnerability that has both:
    • Moderate or unknown exploitability (an EPSS probability greater than 0.5%, or no EPSS scoring)
    • Moderate risk (a CVSS score over 4.0)
Low
  • Any remaining vulnerability that does not fit into another category
Info

Any of the following is true:

  • A Tidelift or Sonar partnered maintainer has declared the vulnerability a false positive
  • The vulnerability has been declared as “withdrawn” by a vulnerability source (NIST, OSV)

Note: this categorization for “Info” overrides any criteria that would place the issue into Critical/High/Low


Getting the software bill of materials (SBOM) for your project

About SBOMS

A software bill of materials (SBOM) is an inventory of components your project is built with, including details such as the component name, version, and license. 

Because your project depends on these components to build and run your software, getting the SBOM for a project is a key element in the remediation of dependency risks. 

SBOMs are used to track and prioritize known security problems and remediation timelines. Compliance teams can use SBOMs as an index to keep an inventory of licenses in use. Developers can use SBOMs to manage dependencies. All of this creates greater interoperability and efficiency within an organization. It is a shared language for all of these teams that can be passively generated and maintained based on application builds.

Sonar supports exporting an SBOM in both major SBOM formats: Software Package Data Exchange (SPDX) and CycloneDX.

Exporting the SBOM for your project

From your project’s overview page and the Dependencies tab, you can click the Export SBOM button to download a SBOM file that corresponds to the project dependencies for the branch that you’re viewing.

SBOMs are available in the CycloneDX and SPDX formats, in both XML and JSON form.

Customizing the dependency analysis

The following parameters have an influence on the results of the dependency analysis.

ParameterTypeDefaultDescription
sonar.sca.enabledBooleantrueWhether to perform Software Composition Analysis (SCA) on this project. Set it to false to disable SCA for this project.
sonar.sca.debugBooleanfalseEnables debug output from the scanner without having to enable debugging at the server level. 
sonar.sca.excludedManifestsString<unset>

A comma-separated list of glob patterns of paths to not include as part of analysis.

For example, to ignore all manifests under the  tests/ and  fixtures/ directories, set:

sonar.sca.excludedManifests = “tests/**, fixtures/**”


sonar.sca.recursiveManifestSearchBooleantrue

Whether to search the entire project tree for manifest files such as pom.xml or packages.json.

Recursive search may pick up unintended manifests, such as manifests in test cases. If so, either disable this option, or use this option in conjunction with sonar.sca.excludedManifests

sonar.sca.allowManifestFailuresBooleantrue

When performing analysis, Sonar will attempt to run your build tools (such as Maven or Gradle) to create a full dependency graph. 

By default, Sonar will not fail the analysis if these tools fail, and will return information on a limited set of dependencies. Set sonar.sca.allowManifestFailures to false to force a failure in this scenario.

sonar.sca.goNoResolveBooleanfalseDisables trying to automatically resolve a Go lock file.
sonar.sca.mavenNoResolveBooleanfalseDisables trying to automatically resolve a Maven lock file and dependency graph file.
sonar.sca.mavenForceDepPluginBooleantrueTry to ensure Maven Dependency Plugin is installed even when it’s not available in the environment.
sonar.sca.mavenIgnoreWrapperBooleanfalseDisables looking for a Maven wrapper script mvnw. Set this to true if the default maven wrapper in your PATH is not functioning.
sonar.sca.mavenOptionsString<unset>Sends additional options to any Maven commands used to generate the lock file and dependency graph file.
sonar.sca.gradleNoResolveBooleanfalseDisables automatically generating a Gradle dependencies lock file.
sonar.sca.gradleConfigurationPatternString<unset>Java regex of configurations to include, passed to gradle via -PconfigurationPattern. When unset, all configurations will be resolved.
sonar.sca.pythonBinaryString/usr/bin/pythonPath to the specific Python binary that should be used if lock files need to be generated.
sonar.sca.pythonNoResolveBooleanfalseDisables automatically generating a Python lock file
sonar.sca.pythonResolveLocalBooleanfalse

When generating a python lockfile, dependency resolution will be done in a temporary virtual environment. 

Set this to true to skip creation of the virtual environment and resolve against the local python environment.

sonar.sca.npmNoResolveBooleanfalseDisables automatically generating a lock file for an NPM project when yarn.lock or package-lock.json are not present.
sonar.sca.npmEnableScriptsBooleanfalseBy default, when generating a lockfile, the --ignore-scripts NPM/Yarn option is passed to ignore any prep scripts. If prep scripts are needed to properly generate dependencies, enable this option.
sonar.sca.nugetNoResolveBooleanfalseDisables automatically generating a lock file for a Nuget project.

Troubleshooting

Docker installation

You may need to update the container and add sonar.sca.available=true to /opt/sonarqube/conf/sonar.properties, either via building a new derived image, or by mounting a volume at that point that has an updated sonar properties file.

“Dependency analysis: Unable to connect to SCA service” warning

Sonar will raise warnings when dependency analysis fails. If you see “Unable to connect to SCA service” warning, that means Sonar was unable to authenticate to the SCA service for analysis. To prevent analysis from failing:

  • ensure that api.sonarcloud.io and scanner.sonarcloud.io are reachable from your SonarQube Server
  • ensure that you have properly onboarded your ServerID for early access

Unable to see Dependencies and Dependency Risks unless logged in

If you have public projects on your servers, you will not be able to see Dependencies and Dependency Risks unless you are logged into your SonarQube Server environment. This restriction will be lifted with the General Access release.

Unknown lifecycle phase error

When analyzing some java projects, you may get an error that says "there was a problem running mvn dependency:tree, and the following message in the details of the error:

 [ERROR] Unknown lifecycle phase "/some/path/.m2".

This is due to a conflict between a MAVEN_CONFIG environment variable that was present during analysis and the mvnw maven wrapper in your project directory. You can solve this by doing one of the following:

  • unset the MAVEN_CONFIG environment variable
  • update the maven wrapper in your repository by running ./mvnw wrapper:wrapper, and commit the result
  • force the use of `mvn` instead of the wrapper by setting the sonar.sca.mavenIgnoreWrapper property to true

Maven Tycho project components are listed as dependencies

If your Maven project uses Tycho to build Eclipse plug-ins, some components that belong to your project might be categorized as dependencies and appear in the Dependencies tab of your project. 

To prevent this from happening, you can use the sonar.sca.mavenOptions property with -Dtycho.target.eager=true set as its value. For example, in your pom.xml file:

<properties>
<sonar.sca.mavenOptions>-Dtycho.target.eager=true</sonar.sca.mavenOptions>
</properties>

Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License