Managing dependency risks with SCA

Time to complete icon1 hour to complete

Overview

This course is designed to help you understand how to address dependency risks found in your code using SonarQube Advanced Security. It provides step-by-step guidance on how to view, assess, and remediate security vulnerabilities, malicious packages, and licensing risks detected in your code.

Learning objectives

After completing this course, you’ll be able to:

  • Identify common security vulnerabilities.
  • Prioritize dependency risks based on severity.
  • Interpret dependency risk severity scores.
  • Identify the exact path of a dependency.
  • Take steps to remediate a vulnerability.
  • Take steps to address a malicious package.
  • Take steps to address open-source licensing risks.
  • Manage dependency risks in your IDE.
  • Create a Software Bill of Materials (SBOM).
  • Generate a risk report.

Key topics

  • Viewing and filtering dependency risks
  • Assessing risk scores
  • Direct and transitive dependencies
  • Maintainer insights
  • Using SonarQube for IDE
  • Leveraging SBOMs
  • Dependency risk reports

Target audience

  • Developers
  • Engineering leaders
  • Analysts

Prerequisites

  • To use, you need one of the following:
    • SonarQube Server, Enterprise edition or Data Center edition (2025.4 LTA or later)
    • SonarQube Cloud, Enterprise plan
  • Active SonarQube Advanced Security license
  • Administration permissions in SonarQube
  • Required languages to support dependency analysis
  • Java 17 or later to run SonarScanner
  • Network connectivity